Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
public:secureprogramming [2014-09-11 11:30] petrspublic:secureprogramming [2014-09-11 11:51] – [OWASP tools] petrs
Line 86: Line 86:
     * Use format of https://is.muni.cz/auth/th/396518/fi_b/bp.pdf as an example     * Use format of https://is.muni.cz/auth/th/396518/fi_b/bp.pdf as an example
     * High-level metrics: platform...     * High-level metrics: platform...
-    * 1st iteration+    * Iterative process, highlight to students
     * Platform supported     * Platform supported
     * Properties from Andrii     * Properties from Andrii
     * IDE integration vs. standalone / server-based tool     * IDE integration vs. standalone / server-based tool
   * Miro - Coverity experience   * Miro - Coverity experience
-  * +  * 3 bc works 
 +  * Metrics (owasp top 10) 
 +  
 +    A1 Injection 
 +    A2 Broken Authentication and Session Management 
 +    A3 Cross-Site Scripting (XSS) 
 +    A4 Insecure Direct Object References 
 +    A5 Security Misconfiguration 
 +    A6 Sensitive Data Exposure 
 +    A7 Missing Function Level Access Control 
 +    A8 Cross-Site Request Forgery (CSRF) 
 +    A9 Using Components with Known Vulnerabilities 
 +    A10 Unvalidated Redirects and Forwards 
  
  
  
 ==== OWASP tools ==== ==== OWASP tools ====
 +
   * List of owasp tools https://www.owasp.org/index.php/Category:OWASP_Tools_Project   * List of owasp tools https://www.owasp.org/index.php/Category:OWASP_Tools_Project
     * https://www.owasp.org/index.php/Category:OWASP_Tool     * https://www.owasp.org/index.php/Category:OWASP_Tool
 +
 +==== Web security testing tool ====
   * w3af framework for manipulating HTTP (fuzzers, crawlers...) http://w3af.org/features   * w3af framework for manipulating HTTP (fuzzers, crawlers...) http://w3af.org/features
     * free, opensource     * free, opensource
Line 107: Line 123:
     * Insufficient Access Control      * Insufficient Access Control 
     * TRY     * TRY
-  * AntiSamy https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET +  * [2014] OWASP Mantra security testing web browser (build on Firefox) http://www.getmantra.com/owasp-mantra.html 
-    * API for ensuring user-supplied HTML/CSS is in compliance within an application's rules+    * TRY 
 +    * firefox-based browser with large number of security plugins http://www.getmantra.com/tools.html 
 +  * [2014] ByWaf https://www.owasp.org/index.php/OWASP_Bywaf_Project 
 +    * web application penetration testing framework, command-line interpreter and a set of plugins  
 +  * [2011, 2014?] OWASP LAPSE Project https://www.owasp.org/index.php/OWASP_LAPSE_Project 
 +    * Security Scanner for Java EE Applications 
 +    * eclipse plugin 
 +    * TRY 
 +  * [2014] OWASP OWTF, the Offensive (Web) Testing Framework https://www.owasp.org/index.php/OWASP_OWTF  
 + 
 +==== Vulnerable app / distro / hackme challenges ====
   * [2014] OWASP Insecure Web App Project  https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project   * [2014] OWASP Insecure Web App Project  https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project
     * InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling     * InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling
Line 115: Line 141:
     * TRY     * TRY
     * http://sourceforge.net/projects/mutillidae/files/mutillidae-project/      * http://sourceforge.net/projects/mutillidae/files/mutillidae-project/ 
-  * [2014] OWASP Mantra security testing web browser (build on Firefox) http://www.getmantra.com/owasp-mantra.html 
-    * TRY 
-    * firefox-based browser with large number of security plugins http://www.getmantra.com/tools.html 
   * [2013] OWASP Broken Web Applications Project https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project   * [2013] OWASP Broken Web Applications Project https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
     * application with vulnerabilities, virtual machine     * application with vulnerabilities, virtual machine
     * TRY     * TRY
-  * [2014] ByWaf https://www.owasp.org/index.php/OWASP_Bywaf_Project 
-    * web application penetration testing framework, command-line interpreter and a set of plugins  
   * Damn Vulnerable iOS Application https://www.owasp.org/index.php/OWASP_DVIA   * Damn Vulnerable iOS Application https://www.owasp.org/index.php/OWASP_DVIA
     * covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try     * covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try
-  * OWASP Enterprise Security API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads 
-    * Java, .NET, ASP, PHP, Python, JavaScript... 
-    * TRY 
   * [2011] Hackademic Challenges https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project   * [2011] Hackademic Challenges https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project
     * vulnerable app, challenges     * vulnerable app, challenges
 +    * TRY
 +
 +==== Security-supporting library ====
 +
 +  * [2009] AntiSamy https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET
 +    * API for ensuring user-supplied HTML/CSS is in compliance within an application's rules
 +  * OWASP Enterprise Security API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads
 +    * Java, .NET, ASP, PHP, Python, JavaScript...
     * TRY     * TRY
   * [2014] java-html-sanitizer https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project   * [2014] java-html-sanitizer https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
     *  fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS     *  fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS
-  * XSS prevention sheet https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 
   * [2014] JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer    * [2014] JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer 
     * Given JSON-like content, convert it to valid JSON. Java library     * Given JSON-like content, convert it to valid JSON. Java library
-  [2011, 2014?] OWASP LAPSE Project https://www.owasp.org/index.php/OWASP_LAPSE_Project + 
-    * Security Scanner for Java EE Applications + 
-    * eclipse plugin +==== Security processes and awareness ==== 
-    * TRY +  XSS prevention sheet https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 
-  * [2014] OWASP OWTF, the Offensive (Web) Testing Framework https://www.owasp.org/index.php/OWASP_OWTF + 
 + 
 + 
   * [2013] OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd   * [2013] OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd
     * TRY     * TRY