Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
public:secureprogramming [2014-05-27 08:30] – [OWASP tools] petrs | public:secureprogramming [2014-09-11 11:38] – petrs | ||
---|---|---|---|
Line 81: | Line 81: | ||
* Run cmd with Administrator privileges | * Run cmd with Administrator privileges | ||
* peach configuration.xml | * peach configuration.xml | ||
+ | |||
+ | ===== Notes ===== | ||
+ | * Example output for new students: | ||
+ | * Use format of https:// | ||
+ | * High-level metrics: platform... | ||
+ | * Iterative process, highlight to students | ||
+ | * Platform supported | ||
+ | * Properties from Andrii | ||
+ | * IDE integration vs. standalone / server-based tool | ||
+ | * Miro - Coverity experience | ||
+ | * 3 bc works | ||
+ | * Metrics (owasp top 10) | ||
+ | |||
+ | A1 Injection | ||
+ | A2 Broken Authentication and Session Management | ||
+ | A3 Cross-Site Scripting (XSS) | ||
+ | A4 Insecure Direct Object References | ||
+ | A5 Security Misconfiguration | ||
+ | A6 Sensitive Data Exposure | ||
+ | A7 Missing Function Level Access Control | ||
+ | A8 Cross-Site Request Forgery (CSRF) | ||
+ | A9 Using Components with Known Vulnerabilities | ||
+ | A10 Unvalidated Redirects and Forwards | ||
+ | |||
+ | |||
+ | |||
==== OWASP tools ==== | ==== OWASP tools ==== | ||
Line 93: | Line 119: | ||
* [2014] OWASP Access Control Rules Tester Project https:// | * [2014] OWASP Access Control Rules Tester Project https:// | ||
* Insufficient Access Control | * Insufficient Access Control | ||
+ | * TRY | ||
* AntiSamy https:// | * AntiSamy https:// | ||
* API for ensuring user-supplied HTML/CSS is in compliance within an application' | * API for ensuring user-supplied HTML/CSS is in compliance within an application' | ||
Line 99: | Line 126: | ||
* [2012] Mutillidae | * [2012] Mutillidae | ||
* Mutillidae contains all of the vulnerabilties from the OWASP Top 10 | * Mutillidae contains all of the vulnerabilties from the OWASP Top 10 | ||
+ | * TRY | ||
* http:// | * http:// | ||
* [2014] OWASP Mantra security testing web browser (build on Firefox) http:// | * [2014] OWASP Mantra security testing web browser (build on Firefox) http:// | ||
+ | * TRY | ||
* firefox-based browser with large number of security plugins http:// | * firefox-based browser with large number of security plugins http:// | ||
* [2013] OWASP Broken Web Applications Project https:// | * [2013] OWASP Broken Web Applications Project https:// | ||
* application with vulnerabilities, | * application with vulnerabilities, | ||
+ | * TRY | ||
* [2014] ByWaf https:// | * [2014] ByWaf https:// | ||
* web application penetration testing framework, command-line interpreter and a set of plugins | * web application penetration testing framework, command-line interpreter and a set of plugins | ||
Line 110: | Line 140: | ||
* OWASP Enterprise Security API https:// | * OWASP Enterprise Security API https:// | ||
* Java, .NET, ASP, PHP, Python, JavaScript... | * Java, .NET, ASP, PHP, Python, JavaScript... | ||
+ | * TRY | ||
+ | * [2011] Hackademic Challenges https:// | ||
+ | * vulnerable app, challenges | ||
+ | * TRY | ||
+ | * [2014] java-html-sanitizer https:// | ||
+ | * fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS | ||
+ | * XSS prevention sheet https:// | ||
+ | * [2014] JSON Sanitizer Project https:// | ||
+ | * Given JSON-like content, convert it to valid JSON. Java library | ||
+ | * [2011, 2014?] OWASP LAPSE Project https:// | ||
+ | * Security Scanner for Java EE Applications | ||
+ | * eclipse plugin | ||
+ | * TRY | ||
+ | * [2014] OWASP OWTF, the Offensive (Web) Testing Framework https:// | ||
+ | * [2013] OWASP Security Shepherd https:// | ||
+ | * TRY | ||
+ | * security teaching application, | ||
+ | * [2014] XSS detection toolkit https:// | ||
+ | * TRY | ||
+ | * [2014] OWASP ZED Attack Proxy Project https:// | ||
+ | * TRY | ||
+ | * [2014] OSAFT https:// | ||
+ | * ssl testing and auditing tool | ||
+ | * tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations | ||
+ | * try | ||