[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-dotnet
Subject: =?WINDOWS-1252?Q?OWASP_Newsletter_#1_=96_December?=
From: "Dinis Cruz" <dinis () ddplus ! net>
Date: 2007-01-08 8:11:59
Message-ID: 701fd6b60701080011q4a97d22ctc5d03f0c9c5fb8bf () mail ! gmail ! com
[Download RAW message or body]
Hello, please find below the 1st OWASP newsletter (also posted in the wiki
https://www.owasp.org/index.php/OWASP_Newsletter_1).
The idea is to send a newsletter every 1 to 2 weeks, and if you want to
include some materials or links in the next one, you have 4 options:
- You can edit the
http://www.owasp.org/index.php/OWASP_Newsletter_2wiki page directly
(good if you add new content to the wiki and want to make
sure we don't miss it)
- http://www.owasp.org/index.php/OWASP_Community
- http://www.owasp.org/index.php/OWASP_News
- http://www.owasp.org/index.php/Application_Security_News
<https://www.owasp.org/index.php/OWASP_Newsletter_1>Thanks Aaron for the
work done in getting this newsletter together, and as always everybody is
invited to comment and help.
Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org
OWASP Newsletter #1 – December 1st 2006 to December 31st 2006
- OWASP Autumn of Code (AoC) update
<https://www.owasp.org/index.php/OWASP_Newsletter_1#OWASP_Autumn_of_Code_.28AoC.29_update>
- Featured Projects: ORG and OSG
<https://www.owasp.org/index.php/OWASP_Newsletter_1#Featured_Projects:_ORG_and_OSG>
- Latest additions to the
WIKI<https://www.owasp.org/index.php/OWASP_Newsletter_1#Latest_additions_to_the_WIKI>
- OWASP Community (from here on owasp.org)
<https://www.owasp.org/index.php/OWASP_Newsletter_1#OWASP_Community_.28from__here_on_owasp.org.29>
- OWASP News Headlines (from here on owasp.org)
<https://www.owasp.org/index.php/OWASP_Newsletter_1#OWASP_News_Headlines_.28from_here_on_owasp.org.29>
- Application Security News (from here on owasp.org)
<https://www.owasp.org/index.php/OWASP_Newsletter_1#Application_Security_News_.28from__here_on_owasp.org.29>
*Welcome to 2007 from all of us at OWASP!*
I would like to take a moment to welcome you all to our first edition of the
OWASP newsletter and introduce myself. My name is Aaron Holmes and I have
had the pleasure of working on the OWASP website as part of the OWASP Autumn
of Code (AoC) 2006. It has been a rewarding and educational experience for
myself, and I feel OWASP has benefited greatly by the many excellent
projects which have been developed and advanced through the AoC 2006
program. With all this activity and excitement, we have decided that we
should produce and distribute a regular newsletter to keep everyone up to
date on the direction of OWASP and our many great projects. We invite your
feedback and news submissions which can be submitted to aholmes@owasp.organd
dinis.cruz@owasp.net. Enjoy!
In the next newsletter we will take a deeper look to the AoC projects and
explain how they can benefit you.
Until next week, happy coding!
Aaron M. Holmes OWASP Newsletter Editor and Website Developer
OWASP Autumn of Code (AoC) update
The end of 2006 marks an important time for OWASP with the successful
completion of the Autumn of Code 2006. Four of the nine original projects
have been completed and are now officially closed. The completed projects
include CAL9000<https://www.owasp.org/index.php/Category:OWASP_CAL9000_Project>,
OWASP SiteGenerator
<https://www.owasp.org/index.php/OWASP_SiteGenerator>, OWASP
Report Generator <https://www.owasp.org/index.php/OWASP_Report_Generator>,
the Testing_Guide <https://www.owasp.org/index.php/Testing_Guide>, and
the Owasp.org
Website and Branding project
<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Website_and_Branding>.
Additionally, three other projects are up for completion and will be
finalized in the very near future; including
Pantera<https://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project>(Web
Assessment Studio Project), new
WebGoat lessons<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat>,
and OWASP Tiger<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools>(formally
named
Owasp.net Tools). The remaining two projects, WebScarab
NX<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_WebScarab_NG>and
LiveCD<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Live_CD>have
been granted 2 month project extensions.
All projects have seen great developments which have been made possible by
the hard work and efforts of our AoC participants, project leaders,
community members and owasp membership fees (used to pay the AoC
sponsorships)
Featured Projects: ORG and OSG
OWASP Report Generator<https://www.owasp.org/index.php/OWASP_Report_Generator>(ORG)
and OWASP
Site Generator <https://www.owasp.org/index.php/OWASP_Site_Generator>(OSG)
are projects that have recently been updated through the Autumn of Code.
OWASP Report Generator<https://www.owasp.org/index.php/OWASP_Report_Generator>(ORG)
is designed for security consultants and aims to aid the creation,
management and reporting of security audits (i.e. penetration testing,
security assessments, etc). With ORG you can centrally manage and track
security assessments projects, while reducing considerably the time spent on
non-testing activities. ORG allows for the easy (using Altova's Authentic
XML WYSIWYG editor) and quick: a) record/document findings, b) create
reports in multiple formats and c) track the findings till they are fixed
(additional features: Image copy and paste, Nmap import, plug-in
extension,automatic xsd schema verification, archiving and data exports).
All data is stored in XML files and all reports (in HTML, PDF, Powerpoint or
Excel) are created using XSL transformations.
OWASP Site Generator
<https://www.owasp.org/index.php/OWASP_Site_Generator>(OSG)
is a teaching tool that can be used to create dynamic sites build from a
predefined list of vulnerabilities (data stored in XML files and new dynamic
websites loaded in seconds). This allows for security trainers to show
specific examples of problems and for developers to look at real vulnerable
code. It also will allow the assessment of the effectiveness of Web
Application Security Scanners and Web Application Firewalls.
Latest additions to the WIKI
- *New WIKI pages*
- PDF Attack Filter for Java
EE<https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE>-
This is a filter to block XSS attacks on PDF files served by Java EE
applications.
- CSRF Guard <https://www.owasp.org/index.php/CSRF_Guard>
- Books that reference
OWASP<https://www.owasp.org/index.php/Books_that_reference_OWASP>
- *Relevant WIKI Page edits*
- OWASP Stinger
Project<https://www.owasp.org/index.php/Category:OWASP_Stinger_Project>and
OWASP
Validation
Project<https://www.owasp.org/index.php/OWASP_Validation_Project>
- Cross-Site Request
Forgery<https://www.owasp.org/index.php/Cross-Site_Request_Forgery>
- Business Justification for Application Security Assessment
<https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment>
- OWASP Code Review Guide Table of
Contents<https://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents>
- A Tale of Two
Systems<https://www.owasp.org/index.php/A_Tale_of_Two_Systems>
-
- How to write a new WebGoat
lesson<https://www.owasp.org/index.php/How_to_write_a_new_WebGoat_lesson>
- How to test session identifier strength with WebScarab
<https://www.owasp.org/index.php/How_to_test_session_identifier_strength_with_WebScarab>
- Source Code Analysis
Tools<https://www.owasp.org/index.php/Source_Code_Analysis_Tools>
- *Presentations on Chapters:*
- Dec 06, Chicago <https://www.owasp.org/index.php/Chicago>, Webapps
In Name Only<http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf>by
Thomas Ptacek, Matasano Security, Token-less
strong authentication for web applications: A Security
Review<http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt>by
Cory Scott, ABN AMRO
- Dec 06, Helsinki
<https://www.owasp.org/index.php/Helsinki>,Analyzing
Threats<http://www.owasp.org/images/7/7c/Owasp-olli.pdf>by Olli Wiren
- Nov 06, Virginia (Northern
Virginia)<https://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29>,
Web site attack
treads<http://www.owasp.org/index.php/Image:OWASP_Presentation_Nov._9_2006.ppt>by
Jim Young, Websense Inc. and Investigating
Ajax and JavaScript
Security<http://www.pascarello.com/presentation/owasp/HackingFun.zip>by
Eric Pascarello
- Nov 06, Phoenix <https://www.owasp.org/index.php/Phoenix>, Discovering
Web Application Vulnerabilities with Google
CodeSearch<http://www.stachliu.com/presentations/webapp0day/index.html>by
Jon Rose
- Oct 06, Rochester <https://www.owasp.org/index.php/Rochester>,
The first of the OWASP top ten: unvalidated
input<http://rd1.net/owasp/2006-10-16_owasp-presentation.ppt>,
by Steve Buck
- *OWASP Testing Project*: Here are just a couple links from the 2nd
version of the OWASP Testing
Project<https://www.owasp.org/index.php/OWASP_Testing_Project>whose
ToC is here: OWASP
Testing Guide v2 Table of
Contents<https://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents>
- Testing: Spidering and
googling<https://www.owasp.org/index.php/Testing:_Spidering_and_googling>
- Testing for Application
Discovery<https://www.owasp.org/index.php/Testing_for_Application_Discovery>
- Testing for Bypassing Authentication
Schema<https://www.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema>
- Testing for Error
Code<https://www.owasp.org/index.php/Testing_for_Error_Code>
- Buffer Overruns and
Overflows<https://www.owasp.org/index.php/Buffer_Overruns_and_Overflows>
OWASP Community (from here <https://www.owasp.org/index.php/OWASP_Community>on
owasp.org)
OWASP related events, such as chapter meetings, OWASP conferences,
get-togethers, and OWASP sponsored events.
- *Jan 17 (18:30h) - Denver chapter
meeting<https://www.owasp.org/index.php/Denver>
*
- *Jan 15 (18:00h) - Rochester chapter
meeting<https://www.owasp.org/index.php/Rochester>
*
- *Jan 11 (18:00h) - Netherlands chapter
meeting<https://www.owasp.org/index.php/Netherlands>
*
- *Jan 11 (18:30h) - Phoenix chapter
meeting<https://www.owasp.org/index.php/Phoenix>
*
- *Jan 10 (18:00h) - Toronto chapter
meeting<https://www.owasp.org/index.php/Toronto>
*
- *Jan 9 (18:00h) - Washington DC (N. VA) chapter
meeting<https://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29>
*
OWASP News Headlines (from here <https://www.owasp.org/index.php/OWASP_News>on
owasp.org )
- *Jan 2 - The Best Security Books Reference
OWASP<http://books.google.com/books?as_q=owasp&num=100&btnG=Google+Search&as_epq=&as_o \
q=&as_eq=&as_libcat=0&as_brr=0&as_vt=&as_auth=&as_pub=&as_drrb=c&as_miny=&as_maxy=&as_isbn=>
* - There are over 50 security books that reference OWASP. Many of the
authors are contributing to OWASP, speaking at our conferences, and
participating in our chapters. Some of the books just recommend OWASP, but
many are structured around OWASP, and others have whole chapters dedicated
to our tools.
- *Nov 28 - JBroFuzz 0.3
Released<http://www.owasp.org/index.php/OWASP_JBroFuzz>
* - This version adds a more stable core, length updating for fuzzed
POST requests and allows you to specify your own fuzz vectors in a separate
file.
- *Nov 26 - OWASP Report Generator 0.88 Released
<http://www.owasp.org/index.php/OWASP_Report_Generator>* - A tool for
security consultants that supports the documentation and reporting of
security vulnerabilities discovered during security audits.
- *Nov 26 - OWASP Site Generator v.70
Released<http://www.owasp.org/index.php/OWASP_Site_Generator>
* - A tool that allows the creating of dynamic websites based on XML
files and predefined vulnerabilities (some simple, some complex) for testing
application security tools.
- *Nov 14 - Three great new OWASP
projects<http://www.owasp.org/index.php/Category:OWASP_Project>
*
- OWASP Encoding
Project<http://www.owasp.org/index.php/Category:OWASP_Encoding_Project>A
nice encoding library that supports Java, .NET, PHP, Python, Perl,
JavaScript, and Ajax.
- OWASP WSFuzzer
Project<http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project>A
fuzzing tool for Web Services to support penetration testing efforts.
- OWASP Insecure Web App Project
<http://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project>A
realistic but insecure Java EE web application for use in learning and
testing tools.
- *Nov 12 - New OWASP App Security Search
Engine<http://www.owasp.org/google/results.html>
* - We're beta-testing a new Google-powered search engine for
application security. The engine indexes the OWASP site and all the other
sites dedicated to application security on the Internet.
- *Nov 7 - OWASP Hits Two-Million Page
Views<http://www.owasp.org/index.php/Special:Statistics>
* - Thank you all for your support! We serve approximately 1/2 million
page views every month.
Application Security News (from
here<https://www.owasp.org/index.php/Application_Security_News>on
owasp.org)
- * Jan 3 - XSS in ALL sites with PDF
download<http://www.gnucitizen.org/blog/danger-danger-danger/>
* - Critical XSS flaw that is trivial to exploit here in all but the
very latest browsers. Attackers simply have to add a script like
#attack=javascript:alert(document.cookie); to ANY URL that ends in
.pdf (or streams a PDF). Solution is to not use PDF's or for Adobe to patch
the planet.
- *Dec 14 - JavaScript error handler leaks
information<http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html>
* - An attacker can find out whether you're logged into your favorite
website or not. They include a script tag where the src attribute doesn't
point to a script, but instead to a page on your favorite websites. Based on
the error the script parser generates when trying to parse the HTML of the
page that's returned, the attacker can tell whether you're logged in or not.
Should extend to access control easily. Protect yourself with CSRF
protection.
- *Dec 13 - UCLA spins massive
breach<http://www.washingtonpost.com/wp-dyn/content/article/2006/12/12/AR2006121200173.html>
* - Why not just say what measures you've really taken? Are all
developers trained? Do you do code review and security testing? "Jim Davis,
UCLA's chief information officer, said a computer trespasser used a program
designed to exploit an undetected software flaw to bypass all security
measures and gain access to the restricted database that contains
information on about 800,000 current and former students, faculty and staff,
as well as some student applicants and parents of students or applicants who
applied for financial aid. 'In spite of our diligence, a sophisticated
hacker found and exploited a subtle vulnerability in one of hundreds of
applications,' Davis said in the statement."
- *Dec 10 - MySpace and Apple
mess<http://news.com.com/Security+Bites+Podcast+MySpace,+Apple+in+patch+snafu/2324-12640_3-6142120.html>
* - MySpace and Apple show how NOT to handle security incidents (see
also How Not to Distribute Security
Patches<http://blog.washingtonpost.com/securityfix/2006/12/how_not_to_distribute_security_1.html>)
- *Dec 2 - Oracle blames security
researchers<http://blogs.oracle.com/security/2006/11/27#a39>
* - "We do not credit security researchers who disclose the existence
of vulnerabilities before a fix is available. We consider such practices,
including disclosing 'zero day' exploits, to be irresponsible." So the
question on everybody's mind - is the Oracle Software Security Assurance
program real? Or are David Litchfield and Cesar Cerrudo right that Emperor
has no clothes?
[Attachment #3 (text/html)]
<span class="gmail_quote"></span>Hello, please find below the 1st OWASP newsletter \
(also posted in the wiki <a \
href="https://www.owasp.org/index.php/OWASP_Newsletter_1">https://www.owasp.org/index.php/OWASP_Newsletter_1</a>
).<br><br>The idea is to send a newsletter every 1 to 2 weeks, and if you want to \
include some materials or links in the next one, you have 4 options:<br><ul><li>You \
can edit the <a href="http://www.owasp.org/index.php/OWASP_Newsletter_2" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.owasp.org/index.php/OWASP_Newsletter_2</a> wiki page directly (good if you \
add new content to the wiki and want to make sure we don't miss it)</li><li><a \
href="http://www.owasp.org/index.php/OWASP_Community" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">
http://www.owasp.org/index.php/OWASP_Community</a><br></li><li><a \
href="http://www.owasp.org/index.php/OWASP_News" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">http://www.owasp.org/index.php/OWASP_News \
</a><br></li><li><a href="http://www.owasp.org/index.php/Application_Security_News" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> \
http://www.owasp.org/index.php/Application_Security_News</a></li></ul><a \
href="https://www.owasp.org/index.php/OWASP_Newsletter_1"></a>Thanks Aaron for the \
work done in getting this newsletter together, and as always everybody is invited to \
comment and help. <br><br>Dinis Cruz<br>Chief OWASP Evangelist, Are you a member yet?
<br><a href="http://www.owasp.org" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">http://www.owasp.org</a><br><br><br><br><br><div><h2>OWASP \
Newsletter #1 – December 1st 2006 to December 31st 2006 </h2> <span></span>
</div>
<ul><li><a href="https://www.owasp.org/index.php/OWASP_Newsletter_1#OWASP_Autumn_of_Code_.28AoC.29_update" \
target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"><span></span><span>OWASP Autumn of Code (AoC) \
update </span></a></li><li><a \
href="https://www.owasp.org/index.php/OWASP_Newsletter_1#Featured_Projects:_ORG_and_OSG" \
target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"><span></span><span>Featured Projects: ORG and \
OSG </span>
</a></li><li><a href="https://www.owasp.org/index.php/OWASP_Newsletter_1#Latest_additions_to_the_WIKI" \
target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"><span></span><span>Latest additions to the \
WIKI </span></a></li>
<li><a href="https://www.owasp.org/index.php/OWASP_Newsletter_1#OWASP_Community_.28from__here_on_owasp.org.29" \
target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"><span></span><span>OWASP Community (from here \
on owasp.org) </span></a></li><li><a \
href="https://www.owasp.org/index.php/OWASP_Newsletter_1#OWASP_News_Headlines_.28from_here_on_owasp.org.29" \
target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"><span></span><span> OWASP News Headlines (from \
here on owasp.org) </span></a></li><li><a \
href="https://www.owasp.org/index.php/OWASP_Newsletter_1#Application_Security_News_.28from__here_on_owasp.org.29" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><span></span> \
<span>Application Security News (from here on owasp.org) </span></a></li></ul>
<div style="float: right; margin-left: 5px;"><br></div><a \
name="11000b8587eea8a3_OWASP_Newsletter_.231_.E2.80.93_December_1st_2006_to_December_31st_2006"></a><h4><br> \
</h4>
<p><b>Welcome to 2007 from all of us at OWASP!</b>
</p><p>I would like to take a moment to welcome you all to our first
edition of the OWASP newsletter and introduce myself. My name is Aaron
Holmes and I have had the pleasure of working on the OWASP website as
part of the OWASP Autumn of Code (AoC) 2006. It has been a rewarding
and educational experience for myself, and I feel OWASP has benefited
greatly by the many excellent projects which have been developed and
advanced through the AoC 2006 program. With all this activity and
excitement, we have decided that we should produce and distribute a
regular newsletter to keep everyone up to date on the direction of
OWASP and our many great projects. We invite your feedback and news
submissions which can be submitted to <a href="mailto:aholmes@owasp.org" \
target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">aholmes@owasp.org</a> and <a \
href="mailto:dinis.cruz@owasp.net" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">dinis.cruz@owasp.net</a>. Enjoy! </p><p>In the \
next newsletter we will take a deeper look to the AoC projects and explain how they \
can benefit you. </p><p>Until next week, happy coding!
</p><p>Aaron M. Holmes
OWASP Newsletter Editor and Website Developer
</p>
<div style="float: right; margin-left: 5px;"><br></div><a \
name="11000b8587eea8a3_OWASP_Autumn_of_Code_.28AoC.29_update"></a><h4><br></h4><h4> \
OWASP Autumn of Code (AoC) update </h4> <p>The end of 2006 marks an important time \
for OWASP with the successful completion of the Autumn of Code 2006. Four of the nine
original projects have been completed and are now officially closed.
The completed projects include <a \
href="https://www.owasp.org/index.php/Category:OWASP_CAL9000_Project" \
title="Category:OWASP CAL9000 Project" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">CAL9000 </a>, <a \
href="https://www.owasp.org/index.php/OWASP_SiteGenerator" title="OWASP \
SiteGenerator" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"> OWASP SiteGenerator</a>, <a \
href="https://www.owasp.org/index.php/OWASP_Report_Generator" title="OWASP Report \
Generator" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">OWASP Report Generator</a>, the <a \
href="https://www.owasp.org/index.php/Testing_Guide" title="Testing Guide" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> \
Testing_Guide</a>, and the <a \
href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Website_and_Branding" \
title="OWASP Autumn of Code 2006 - Projects: Website and Branding" target="_blank" \
onclick="return top.js.OpenExtLink(window,event,this)"> Owasp.org Website and \
Branding project </a>. Additionally, three other projects are up for completion and \
will be finalized in the very near future; including <a \
href="https://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project" \
title="Category:OWASP Pantera Web Assessment Studio Project" target="_blank" \
onclick="return top.js.OpenExtLink(window,event,this)">
Pantera</a> (Web Assessment Studio Project), <a \
href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat" \
title="OWASP Autumn of Code 2006 - Projects: Web Goat" target="_blank" \
onclick="return top.js.OpenExtLink(window,event,this)"> new WebGoat lessons</a>, and \
<a href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools" \
title="OWASP Autumn of Code 2006 - Projects: Owasp .Net Tools" target="_blank" \
onclick="return top.js.OpenExtLink(window,event,this)">
OWASP Tiger</a> (formally named <a href="http://Owasp.net" target="_blank" \
onclick="return top.js.OpenExtLink(window,event,this)">Owasp.net</a> Tools). The \
remaining two projects, <a \
href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_WebScarab_NG" \
title="OWASP Autumn of Code 2006 - Projects: WebScarab NG" target="_blank" \
onclick="return top.js.OpenExtLink(window,event,this)">
WebScarab NX</a> and <a \
href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Live_CD" \
title="OWASP Autumn of Code 2006 - Projects: Live CD" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"> LiveCD</a> have been granted 2 month project \
extensions. </p><p>All projects have seen great developments which have been made
possible by the hard work and efforts of our AoC participants, project
leaders, community members and owasp membership fees (used to pay the
AoC sponsorships)
</p>
<div style="float: right; margin-left: 5px;"><br></div><a \
name="11000b8587eea8a3_Featured_Projects:_ORG_and_OSG"></a><h4><br></h4><h4> \
Featured Projects: ORG and OSG </h4> <p><a \
href="https://www.owasp.org/index.php/OWASP_Report_Generator" title="OWASP Report \
Generator" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">OWASP Report Generator</a> (ORG) and <a \
href="https://www.owasp.org/index.php/OWASP_Site_Generator" title="OWASP Site \
Generator" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
OWASP Site Generator</a>(OSG) are projects that have recently been updated through \
the Autumn of Code. </p><p><a \
href="https://www.owasp.org/index.php/OWASP_Report_Generator" title="OWASP Report \
Generator" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">OWASP Report Generator</a> (ORG) is designed \
for security consultants and aims to aid the creation, management and reporting of \
security audits (i.e. penetration testing, security assessments, etc). With ORG you \
can centrally manage and track security assessments projects, while reducing \
considerably the time spent on non-testing activities. ORG allows for the easy
(using Altova's Authentic XML WYSIWYG editor) and quick: a)
record/document findings, b) create reports in multiple formats and c)
track the findings till they are fixed (additional features: Image copy
and paste, Nmap import, plug-in extension,automatic xsd schema
verification, archiving and data exports). All data is stored in XML
files and all reports (in HTML, PDF, Powerpoint or Excel) are created
using XSL transformations.
</p><p><a href="https://www.owasp.org/index.php/OWASP_Site_Generator" title="OWASP \
Site Generator" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">OWASP Site Generator</a>(OSG) is a teaching \
tool that can be used to create dynamic sites build from a predefined list of \
vulnerabilities (data stored in XML files and new dynamic websites loaded in \
seconds). This allows for security trainers to show specific examples of problems and \
for developers to look at real vulnerable code. It also will allow the assessment of \
the effectiveness of Web Application Security Scanners and Web Application
Firewalls.
</p><a name="11000b8587eea8a3_Latest_additions_to_the_WIKI"></a><h4><br><br> Latest \
additions to the WIKI </h4> <ul><li> <b>New WIKI pages</b>
<ul><li> <a href="https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE" \
title="PDF Attack Filter for Java EE" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">PDF Attack Filter for Java \
EE</a>
- This is a filter to block XSS attacks on PDF files served by Java EE \
applications. </li><li> <a href="https://www.owasp.org/index.php/CSRF_Guard" \
title="CSRF Guard" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">CSRF Guard</a> </li><li> <a \
href="https://www.owasp.org/index.php/Books_that_reference_OWASP" title="Books that \
reference OWASP" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Books that reference OWASP</a> </li></ul>
</li></ul>
<ul><li> <b>Relevant WIKI Page edits</b>
<ul><li> <a href="https://www.owasp.org/index.php/Category:OWASP_Stinger_Project" \
title="Category:OWASP Stinger Project" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">OWASP Stinger Project</a> and <a \
href="https://www.owasp.org/index.php/OWASP_Validation_Project" title="OWASP \
Validation Project" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"> OWASP Validation Project</a>
</li><li> <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery" \
title="Cross-Site Request Forgery" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Cross-Site Request Forgery</a> </li><li> <a \
href="https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment" \
title="Business Justification for Application Security Assessment" target="_blank" \
onclick="return top.js.OpenExtLink(window,event,this)"> Business Justification for \
Application Security Assessment </a>
</li><li> <a href="https://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents" \
title="OWASP Code Review Guide Table of Contents" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">OWASP Code Review Guide Table of Contents </a>
</li><li> <a href="https://www.owasp.org/index.php/A_Tale_of_Two_Systems" title="A \
Tale of Two Systems" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">A Tale of Two Systems</a> </li><li>
<br></li><li> <a href="https://www.owasp.org/index.php/How_to_write_a_new_WebGoat_lesson" \
title="How to write a new WebGoat lesson" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">How to write a new WebGoat lesson </a>
</li><li> <a href="https://www.owasp.org/index.php/How_to_test_session_identifier_strength_with_WebScarab" \
title="How to test session identifier strength with WebScarab" target="_blank" \
onclick="return top.js.OpenExtLink(window,event,this)"> How to test session \
identifier strength with WebScarab </a>
</li><li> <a href="https://www.owasp.org/index.php/Source_Code_Analysis_Tools" \
title="Source Code Analysis Tools" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Source Code Analysis Tools</a> </li></ul>
</li></ul>
<ul><li> <b>Presentations on Chapters:</b>
<ul><li> Dec 06, <a href="https://www.owasp.org/index.php/Chicago" title="Chicago" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Chicago</a>, \
<a href="http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf" \
title="http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
Webapps In Name Only</a> by Thomas Ptacek, Matasano Security, <a \
href="http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt" \
title="http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt" \
rel="nofollow" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">
Token-less strong authentication for web applications: A Security Review</a> by Cory \
Scott, ABN AMRO </li><li> Dec 06, <a href="https://www.owasp.org/index.php/Helsinki" \
title="Helsinki" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Helsinki</a>,<a \
href="http://www.owasp.org/images/7/7c/Owasp-olli.pdf" \
title="http://www.owasp.org/images/7/7c/Owasp-olli.pdf" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
Analyzing Threats</a> by Olli Wiren
</li><li> Nov 06, <a \
href="https://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29" \
title="Virginia (Northern Virginia)" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Virginia (Northern Virginia) </a>, <a \
href="http://www.owasp.org/index.php/Image:OWASP_Presentation_Nov._9_2006.ppt" \
title="http://www.owasp.org/index.php/Image:OWASP_Presentation_Nov._9_2006.ppt" \
rel="nofollow" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">
Web site attack treads</a> by Jim Young, Websense Inc. and <a \
href="http://www.pascarello.com/presentation/owasp/HackingFun.zip" \
title="http://www.pascarello.com/presentation/owasp/HackingFun.zip" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
Investigating Ajax and JavaScript Security</a> by Eric Pascarello
</li><li> Nov 06, <a href="https://www.owasp.org/index.php/Phoenix" title="Phoenix" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Phoenix</a>, \
<a href="http://www.stachliu.com/presentations/webapp0day/index.html" \
title="http://www.stachliu.com/presentations/webapp0day/index.html" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
Discovering Web Application Vulnerabilities with Google CodeSearch</a> by Jon Rose
</li><li> Oct 06, <a href="https://www.owasp.org/index.php/Rochester" \
title="Rochester" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Rochester</a>, <a \
href="http://rd1.net/owasp/2006-10-16_owasp-presentation.ppt" \
title="http://rd1.net/owasp/2006-10-16_owasp-presentation.ppt" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
The first of the OWASP top ten: unvalidated input</a>, by Steve Buck
</li></ul>
</li></ul>
<ul><li> <b>OWASP Testing Project</b>: Here are just a couple links from the 2nd \
version of the <a href="https://www.owasp.org/index.php/OWASP_Testing_Project" \
title="OWASP Testing Project" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"> OWASP Testing Project</a> whose ToC is \
here: <a href="https://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents" \
title="OWASP Testing Guide v2 Table of Contents" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">OWASP Testing Guide v2 Table of Contents </a>
<ul><li> <a href="https://www.owasp.org/index.php/Testing:_Spidering_and_googling" \
title="Testing: Spidering and googling" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Testing: Spidering and googling </a>
</li><li> <a href="https://www.owasp.org/index.php/Testing_for_Application_Discovery" \
title="Testing for Application Discovery" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Testing for Application Discovery </a>
</li><li> <a href="https://www.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema" \
title="Testing for Bypassing Authentication Schema" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Testing for Bypassing Authentication Schema \
</a> </li><li> <a href="https://www.owasp.org/index.php/Testing_for_Error_Code" \
title="Testing for Error Code" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Testing for Error Code</a> </li><li> <a \
href="https://www.owasp.org/index.php/Buffer_Overruns_and_Overflows" title="Buffer \
Overruns and Overflows" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Buffer Overruns and Overflows </a>
</li></ul>
</li></ul>
<div style="float: right; margin-left: 5px;"><br></div><a \
name="11000b8587eea8a3_OWASP_Community_.28from__here_on_owasp.org.29"></a><h4> OWASP \
Community (from <a href="https://www.owasp.org/index.php/OWASP_Community" \
title="OWASP Community" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">
here</a> on <a href="http://owasp.org" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">owasp.org</a>) </h4> <p>OWASP related events, \
such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored \
events. </p>
<ul><li> <b>Jan 17 (18:30h) - <a href="https://www.owasp.org/index.php/Denver" \
title="Denver" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Denver chapter meeting</a></b> </li></ul>
<ul><li> <b>Jan 15 (18:00h) - <a href="https://www.owasp.org/index.php/Rochester" \
title="Rochester" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Rochester chapter meeting</a></b> </li></ul>
<ul><li> <b>Jan 11 (18:00h) - <a href="https://www.owasp.org/index.php/Netherlands" \
title="Netherlands" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Netherlands chapter meeting</a></b> </li></ul>
<ul><li> <b>Jan 11 (18:30h) - <a href="https://www.owasp.org/index.php/Phoenix" \
title="Phoenix" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Phoenix chapter meeting</a></b> </li></ul>
<ul><li> <b>Jan 10 (18:00h) - <a href="https://www.owasp.org/index.php/Toronto" \
title="Toronto" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Toronto chapter meeting</a></b> </li></ul>
<ul><li> <b>Jan 9 (18:00h) - <a \
href="https://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29" \
title="Virginia (Northern Virginia)" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Washington DC (N. VA) chapter meeting </a></b>
</li></ul>
<a name="11000b8587eea8a3_OWASP_News_Headlines_.28from_here_on_owasp.org.29"></a><h4><br></h4><h4> \
OWASP News Headlines (from <a href="https://www.owasp.org/index.php/OWASP_News" \
title="OWASP News" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"> here</a> on <a href="http://owasp.org" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">owasp.org</a> \
) </h4> <ul><li> <b>Jan 2 - <a \
href="http://books.google.com/books?as_q=owasp&num=100&btnG=Google+Search& \
as_epq=&as_oq=&as_eq=&as_libcat=0&as_brr=0&as_vt=&as_auth=&as_pub=&as_drrb=c&as_miny=&as_maxy=&as_isbn=" \
title="http://books.google.com/books?as_q=owasp&num=100&btnG=Google+Search& \
;as_epq=&as_oq=&as_eq=&as_libcat=0&as_brr=0&as_vt=&as_auth=&as_pub=&as_drrb=c&as_miny=&as_maxy=&as_isbn=" \
rel="nofollow" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">
The Best Security Books Reference OWASP</a></b>
- There are over 50 security books that reference OWASP. Many of the
authors are contributing to OWASP, speaking at our conferences, and
participating in our chapters. Some of the books just recommend OWASP,
but many are structured around OWASP, and others have whole chapters
dedicated to our tools. </li></ul>
<ul><li> <b>Nov 28 - <a href="http://www.owasp.org/index.php/OWASP_JBroFuzz" \
title="http://www.owasp.org/index.php/OWASP_JBroFuzz" rel="nofollow" target="_blank" \
onclick="return top.js.OpenExtLink(window,event,this)">JBroFuzz 0.3 Released </a></b>
- This version adds a more stable core, length updating for fuzzed POST
requests and allows you to specify your own fuzz vectors in a separate
file. </li></ul>
<ul><li> <b>Nov 26 - <a href="http://www.owasp.org/index.php/OWASP_Report_Generator" \
title="http://www.owasp.org/index.php/OWASP_Report_Generator" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> OWASP Report \
Generator 0.88 Released </a></b>
- A tool for security consultants that supports the documentation and
reporting of security vulnerabilities discovered during security
audits. </li></ul>
<ul><li> <b>Nov 26 - <a href="http://www.owasp.org/index.php/OWASP_Site_Generator" \
title="http://www.owasp.org/index.php/OWASP_Site_Generator" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> OWASP Site \
Generator v.70 Released</a></b>
- A tool that allows the creating of dynamic websites based on XML
files and predefined vulnerabilities (some simple, some complex) for
testing application security tools. </li></ul>
<ul><li> <b>Nov 14 - <a href="http://www.owasp.org/index.php/Category:OWASP_Project" \
title="http://www.owasp.org/index.php/Category:OWASP_Project" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> Three great \
new OWASP projects</a></b>
<ul><li> <a href="http://www.owasp.org/index.php/Category:OWASP_Encoding_Project" \
title="http://www.owasp.org/index.php/Category:OWASP_Encoding_Project" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> OWASP \
Encoding Project</a> A nice encoding library that supports Java, .NET, PHP, Python, \
Perl, JavaScript, and Ajax. </li><li> <a \
href="http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project" \
title="http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> OWASP \
WSFuzzer Project</a> A fuzzing tool for Web Services to support penetration testing \
efforts. </li><li> <a \
href="http://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project" \
title="http://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project" \
rel="nofollow" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)"> OWASP Insecure Web App Project
</a> A realistic but insecure Java EE web application for use in learning and \
testing tools. </li></ul>
</li></ul>
<ul><li> <b>Nov 12 - <a href="http://www.owasp.org/google/results.html" \
title="http://www.owasp.org/google/results.html" rel="nofollow" target="_blank" \
onclick="return top.js.OpenExtLink(window,event,this)">New OWASP App Security Search \
Engine </a></b>
- We're beta-testing a new Google-powered search engine for application
security. The engine indexes the OWASP site and all the other sites
dedicated to application security on the Internet.
</li></ul>
<ul><li> <b>Nov 7 - <a href="http://www.owasp.org/index.php/Special:Statistics" \
title="http://www.owasp.org/index.php/Special:Statistics" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> OWASP Hits \
Two-Million Page Views</a></b> - Thank you all for your support! We serve \
approximately 1/2 million page views every month. </li></ul>
<div style="float: right; margin-left: 5px;"><br></div><a \
name="11000b8587eea8a3_Application_Security_News_.28from__here_on_owasp.org.29"></a><h4><br></h4><h4> \
Application Security News (from <a \
href="https://www.owasp.org/index.php/Application_Security_News" title="Application \
Security News" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">
here</a> on <a href="http://owasp.org" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">owasp.org</a>) </h4> <ul><li><b> Jan 3 - <a \
href="http://www.gnucitizen.org/blog/danger-danger-danger/" \
title="http://www.gnucitizen.org/blog/danger-danger-danger/" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> XSS in ALL \
sites with PDF download</a></b>
- Critical XSS flaw that is trivial to exploit here in all but the very
latest browsers. Attackers simply have to add a script like
#attack=javascript:alert(document.cookie); to ANY URL that ends in .pdf
(or streams a PDF). Solution is to not use PDF's or for Adobe to patch
the planet. </li></ul>
<ul><li> <b>Dec 14 - <a \
href="http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html" \
title="http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html" \
rel="nofollow" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">
JavaScript error handler leaks information</a></b>
- An attacker can find out whether you're logged into your favorite
website or not. They include a script tag where the src attribute
doesn't point to a script, but instead to a page on your favorite
websites. Based on the error the script parser generates when trying to
parse the HTML of the page that's returned, the attacker can tell
whether you're logged in or not. Should extend to access control
easily. Protect yourself with CSRF protection. </li></ul>
<ul><li> <b>Dec 13 - <a \
href="http://www.washingtonpost.com/wp-dyn/content/article/2006/12/12/AR2006121200173.html" \
title="http://www.washingtonpost.com/wp-dyn/content/article/2006/12/12/AR2006121200173.html" \
rel="nofollow" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">
UCLA spins massive breach</a></b>
- Why not just say what measures you've really taken? Are all
developers trained? Do you do code review and security testing? "Jim
Davis, UCLA's chief information officer, said a computer trespasser
used a program designed to exploit an undetected software flaw to
bypass all security measures and gain access to the restricted database
that contains information on about 800,000 current and former students,
faculty and staff, as well as some student applicants and parents of
students or applicants who applied for financial aid. 'In spite of our
diligence, a sophisticated hacker found and exploited a subtle
vulnerability in one of hundreds of applications,' Davis said in the
statement." </li></ul>
<ul><li> <b>Dec 10 - <a \
href="http://news.com.com/Security+Bites+Podcast+MySpace,+Apple+in+patch+snafu/2324-12640_3-6142120.html" \
title="http://news.com.com/Security+Bites+Podcast+MySpace,+Apple+in+patch+snafu/2324-12640_3-6142120.html" \
rel="nofollow" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">
MySpace and Apple mess</a></b> - MySpace and Apple show how NOT to handle security \
incidents (see also <a \
href="http://blog.washingtonpost.com/securityfix/2006/12/how_not_to_distribute_security_1.html" \
title="http://blog.washingtonpost.com/securityfix/2006/12/how_not_to_distribute_security_1.html" \
rel="nofollow" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">
How Not to Distribute Security Patches</a>)
</li></ul>
<ul><li> <b>Dec 2 - <a href="http://blogs.oracle.com/security/2006/11/27#a39" \
title="http://blogs.oracle.com/security/2006/11/27#a39" rel="nofollow" \
target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> Oracle blames \
security researchers</a></b>
- "We do not credit security researchers who disclose the existence of
vulnerabilities before a fix is available. We consider such practices,
including disclosing 'zero day' exploits, to be irresponsible." So the
question on everybody's mind - is the Oracle Software Security
Assurance program real? Or are David Litchfield and Cesar Cerrudo right
that Emperor has no clothes?
</li></ul>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic