Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
public:secureprogramming [2014-09-11 11:40] – [OWASP tools] petrspublic:research:secprog:secureprogramming [2016-12-01 13:28] (current) – external edit 127.0.0.1
Line 2: Line 2:
  
   * 19 deadly sins of software programming (Howard), examples, list of reasonably fresh real examples: http://www.math.uaa.alaska.edu/~afkjm/cs470/handouts/SecuritySins.pdf   * 19 deadly sins of software programming (Howard), examples, list of reasonably fresh real examples: http://www.math.uaa.alaska.edu/~afkjm/cs470/handouts/SecuritySins.pdf
 +  * Mozilla secure coding guidelines: https://developer.mozilla.org/en-US/docs/Secure_Development_Guidelines
 +
  
 ===== Security programming courses ===== ===== Security programming courses =====
Line 81: Line 83:
     * Run cmd with Administrator privileges     * Run cmd with Administrator privileges
       * peach configuration.xml       * peach configuration.xml
 +    * Run Peach in agent mode: //peach -a tcp//
 +      * ERROR: Error, could not load platform assembly 'Peach.Core.OS.Windows.dll' The assembly is part of the Internet Security Zone and loading has been blocked.
 +      * Solution: https://forums.peachfuzzer.com/showthread.php?198-Could-not-load-platform-assembly-Peach-Core-OS-Windows-dll
 +    * ERROR: Could not start monitor "WindowsDebugger" Could not find a part of the path 'C
 +:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll'.
 +      * set proper path to WinDbg (e.g., c:\Program Files (x86)\Debugging Tools for Windows\) in peach pit file
 +      * <Param name="WinDbgPath" value="c:\Program Files (x86)\Debugging Tools for Windows\" />
 +
 +
  
 ===== Notes ===== ===== Notes =====
Line 90: Line 101:
     * Properties from Andrii     * Properties from Andrii
     * IDE integration vs. standalone / server-based tool     * IDE integration vs. standalone / server-based tool
-  * Miro - Coverity experience +  * Coverity experience 
-  * 3 bc works+  * 3 bc theses 
 +    * Use owasp tools, test against vulnerable apps, evaluate 
 +    * Implement personalized testing scenarios inside given framework (he Web Application Hacker's Handbook scenarios) 
 +      * multiple scenarios, every week demonstration of progress 
 +    * Vulnerability scanners - Nessus, Metasploit...
   * Metrics (owasp top 10)   * Metrics (owasp top 10)
    
Line 109: Line 124:
  
 ==== OWASP tools ==== ==== OWASP tools ====
 +
   * List of owasp tools https://www.owasp.org/index.php/Category:OWASP_Tools_Project   * List of owasp tools https://www.owasp.org/index.php/Category:OWASP_Tools_Project
     * https://www.owasp.org/index.php/Category:OWASP_Tool     * https://www.owasp.org/index.php/Category:OWASP_Tool
 +
 +==== Web security testing tool ====
   * w3af framework for manipulating HTTP (fuzzers, crawlers...) http://w3af.org/features   * w3af framework for manipulating HTTP (fuzzers, crawlers...) http://w3af.org/features
     * free, opensource     * free, opensource
Line 120: Line 138:
     * Insufficient Access Control      * Insufficient Access Control 
     * TRY     * TRY
-  * [2009] AntiSamy https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET 
-    * API for ensuring user-supplied HTML/CSS is in compliance within an application's rules 
-  * [2014] OWASP Insecure Web App Project  https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project 
-    * InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling 
-  * [2012] Mutillidae  http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10  
-    * Mutillidae contains all of the vulnerabilties from the OWASP Top 10 
-    * TRY 
-    * http://sourceforge.net/projects/mutillidae/files/mutillidae-project/  
   * [2014] OWASP Mantra security testing web browser (build on Firefox) http://www.getmantra.com/owasp-mantra.html   * [2014] OWASP Mantra security testing web browser (build on Firefox) http://www.getmantra.com/owasp-mantra.html
     * TRY     * TRY
     * firefox-based browser with large number of security plugins http://www.getmantra.com/tools.html     * firefox-based browser with large number of security plugins http://www.getmantra.com/tools.html
-  * [2013] OWASP Broken Web Applications Project https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project 
-    * application with vulnerabilities, virtual machine 
-    * TRY 
   * [2014] ByWaf https://www.owasp.org/index.php/OWASP_Bywaf_Project   * [2014] ByWaf https://www.owasp.org/index.php/OWASP_Bywaf_Project
     * web application penetration testing framework, command-line interpreter and a set of plugins      * web application penetration testing framework, command-line interpreter and a set of plugins 
-  * Damn Vulnerable iOS Application https://www.owasp.org/index.php/OWASP_DVIA 
-    * covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try 
-  * OWASP Enterprise Security API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads 
-    * Java, .NET, ASP, PHP, Python, JavaScript... 
-    * TRY 
-  * [2011] Hackademic Challenges https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project 
-    * vulnerable app, challenges 
-    * TRY 
-  * [2014] java-html-sanitizer https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project 
-    *  fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS 
-  * XSS prevention sheet https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 
-  * [2014] JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer  
-    * Given JSON-like content, convert it to valid JSON. Java library 
   * [2011, 2014?] OWASP LAPSE Project https://www.owasp.org/index.php/OWASP_LAPSE_Project   * [2011, 2014?] OWASP LAPSE Project https://www.owasp.org/index.php/OWASP_LAPSE_Project
     * Security Scanner for Java EE Applications     * Security Scanner for Java EE Applications
Line 154: Line 148:
     * TRY     * TRY
   * [2014] OWASP OWTF, the Offensive (Web) Testing Framework https://www.owasp.org/index.php/OWASP_OWTF    * [2014] OWASP OWTF, the Offensive (Web) Testing Framework https://www.owasp.org/index.php/OWASP_OWTF 
-  * [2013] OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd 
-    * TRY 
-    * security teaching application, CTF 
   * [2014] XSS detection toolkit https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework   * [2014] XSS detection toolkit https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework
     * TRY     * TRY
Line 165: Line 156:
     * tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations     * tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations
     * try     * try
 +
 +==== Vulnerable app / distro / hackme challenges ====
 +  * [2014] OWASP Insecure Web App Project  https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project
 +    * InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling
 +  * [2012] Mutillidae  http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 
 +    * Mutillidae contains all of the vulnerabilties from the OWASP Top 10
 +    * TRY
 +    * http://sourceforge.net/projects/mutillidae/files/mutillidae-project/ 
 +  * [2013] OWASP Broken Web Applications Project https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
 +    * application with vulnerabilities, virtual machine
 +    * TRY
 +  * Damn Vulnerable iOS Application https://www.owasp.org/index.php/OWASP_DVIA
 +    * covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try
 +  * [2011] Hackademic Challenges https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project
 +    * vulnerable app, challenges: https://github.com/Hackademic/hackademic/
 +    * TRY
 +  * [2013] OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd
 +    * TRY: https://github.com/OWASP/SecurityShepherd
 +    * security teaching application, CTF
 +  * [2015] Samurai Web Testing Framework http://samurai.inguardians.com/
 +    * preinstalled Mutillidae,  
 +
 +==== Security-supporting library ====
 +
 +  * [2009] AntiSamy https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET
 +    * API for ensuring user-supplied HTML/CSS is in compliance within an application's rules
 +  * OWASP Enterprise Security API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads
 +    * Java, .NET, ASP, PHP, Python, JavaScript...
 +    * TRY
 +  * [2014] java-html-sanitizer https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
 +    *  fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS
 +  * [2014] JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer 
 +    * Given JSON-like content, convert it to valid JSON. Java library
 +  * [2015] Several Java web applications and command line applications covering different security topics: https://github.com/dschadow/JavaSecurity
 +
 +
 +==== Security processes and awareness ====
 +  * XSS prevention sheet https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
 +
 +
 +
 +