Showing posts with label owasp. Show all posts
Showing posts with label owasp. Show all posts

Thursday, October 17, 2013

Xenotix XSS Exploit Framework V4.5 Released - OWASP

Xenotix XSS Exploit Framework By OWASP:

                            is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and
WAF Bypass. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

V4.5 Additions
JavaScript Beautifier
Pause and Resume support for Scan
Jump to Payload
Cookie Support for POST Request
Cookie Support and Custom Headers for Header Scanner
Added TRACE method Support
Improved Interface
Better Proxy Support
WAF Fingerprinting
Load Files <exploitation module>
Hash Calculator
Hash Detector

 OWASP Xenotix XSS Exploit Framework V4 :

Youtube Videos :

Download Link :

Mirror Link :

Monday, June 24, 2013

OWASP 2013 Top 10 Application Security Risks


Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2-Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3-Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4-Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5-Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6-Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7-Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8-Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A9-Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10-Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Sunday, December 23, 2012

OWASP - Web Security Training

OWASP - Open Web Application Security Project :

                                               is a open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies.

OWASP Testing Guide :

January 2004
–"The OWASP Testing Guide", Version 1.0

July 14, 2004
–"OWASP Web Application Penetration Checklist", Version 1.1

Download Link : OWASP Ver 1.1

December 25, 2006
–"OWASP Testing Guide", Version 2.0
Download Link  MS- DOC Format : OWASP Ver 2.0  
Download Link PDF-Format   : OWASP Ver 2.0
15th September, 2008
–"OWASP Testing Guide", Version 3.0

Download Link MS-PPT Format : OWASP Ver 3.0
Download Link PDF Format : OWASP Ver 3.0

Video Tutorials :

OWASP AppSec Basics :

OWASP SQL Injection :
OWASP Cross Site Scripting :

OWASP Strict Transport Security :

Setting Up OWASP Web Security Learning Lab with OWASP ZAP :


Required Software


  1. Install VirtualBox
  2. Unzip OWASP Broken Web Apps VM into any directory (don't pick restricted directories that require admin or sudo to access)
  3. Open VirtualBox and hit the icon for "New"
    • VM Name and OS Type: Enter name "OWASP-BWA" and select OS "Linux" and Version "Ubuntu"
    • Memory: Default of 512 is fine
    • Virtual Hard Disk: Important Select "Use existing hard disk" and click on the folder.
    • Browse to the unzipped folder contents of the OWASP Broken Web Apps VM. Select "OWASP Broken Web Apps.vmdk" Note: There are similar files ending in -s001. Don't pick those.
    • Click OK to finish VM Setup
  4. Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and select "Settings" (also available via menu Machine->Settings)
    • Go to Settings->Network->Adapter 1.
    • Make sure the checkmark for enabled is checked.
    • Change "Attached to:" from "NAT: to "Host-Only Adapter"
    • Click OK
  5. Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and hit "Start"
  6. After the VM boots the OWASP-BWA login page will provide the following message (the IP address will be similar but not exactly this)

  7. You can access the web apps at

  8. Open a browser on your main machine (not the VM) and go to this URL. It should load a page that starts with "OWASP Broken Web Applications"
  9. Note: You don't need to actually login to the virtual machine. Everything is already running.

Common Errors

  • Boot Up Error Message - Kernel requires feature on CPU: pae
    • Power off VM (not VirtualBox, just VM window)
    • Right click on OWASP-BWA on left side and select "Settings" (also available via menu Machine->Settings)
    • Go to System->Processor and enable PAE
    • Click OK and restart VM
  • Host Only Adapter Shows Error Message and Name says "not selected" with no options
    • Go to the VirtualBox Manager (e.g. the main virtualbox control app, not the individual vm)
    • Go to the VirtualBox->Preferences and then select "Network" (note: these are settings for the virtualbox app overall)
    • There is text box with the title "Host-only Networks:" it is most likely an empty text area and this is the problem
    • Click the plus icon on the right to add a new adapter. You should now see "vboxnet0"
    • Click ok and then go back to the VMs preferences. You should be able to select the hostonly adapter now
  • Keyboard and mouse trapped in VM
    • Mac: Hit the left command button to exit VM control
    • Windows: Left Alt??
    • Simply click back inside the vm with the mouse to regain keyboard control in the VM

Training PDF : Click Here 

OWASP WebScarab Proxy Training : 

                                      WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.


Windows : Click Here  or Alernate Link Click Here

Linux: java -jar ./webscarab-selfcontained-[numbers].jar

Video Training Click Here: 

Sample Video : 

OWASP Webgoat Training :

                                    WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson. 

Download Link : WebGoat V 5.4

Training Documentation :

References to WebGoat documentation or solutions.

Sample Video : 

Hacking-Lab is providing the FREE OWASP TOP 10 : 

                                                    hands-on lab as a service to the OWASP Academy Portal and to the OWASP community. Those training material is reviewed and approved by the OWASP Academy Portal Project members in order to set and maintain an OWASP-worthy training quality.

Installation :

These are the simple steps I followed on a Windows 7 laptop.

  • Dowload the Virtual Appliance OVA file to your laptop
  • Download and install the Oracle Virtual Box  application onto your laptop
  • Double-click the .ova file through Windows Explorer and the appliance import process should commence on the Virtual Box application. You should see something like Fig 1:
Fig. 1: Oracle VM Virtual Box Manager
  •  In  theVirtual Box Manager left-hand pane double-click on the LiveCD-Hacking-Lab-V5.55 entry. The LiveCD should start and after a short while  the Welcome screen as shown in Fig 2 should appear.
Fig 2: Welcome Screen
You should be ready to go now at the OWASP Security Training.

Training Videos - Hacking_Lab LiveCD
Video Description
How to use 2 different (attacker/victim) browser instances
Learn how to use 2 different (attacker/victim) browser instances (The Firefox Profiles are available on LiveCD V5.83 and newer)
How to use the ZAP browser in the LiveCD
Tutorial; ZAP Web Inspection Proxy on LiveCD
How to setup a landing page on the LiveCD
Tutorial; ZAP Web Inspection Proxy on LiveCD
How to import LiveCD in VirtualBox 
Learn how to import the LiveCD ova file into VirtualBox
How to import LiveCD in VMware
Learn how to import the LiveCD ova file into VMware
Run Hacking-Lab LiveCD with Vmware 8 workstation
Learn how to use the LiveCD ISO with Vmware 8 workstation
Installation of LiveCD in Vmware 8 workstation
Learn how to install the LiveCD ISO in your Vmware 8 workstation
How to open a root shell
Learn how to open a "root" shell
Server side VDI solution Learn how to use the server side VDI solution

Hacking-Lab Download 

document-open Documents and Videos
document-open Hacking-Lab LiveCD 

Tools listed in the OWASP Testing Guide

OWASP Testing Guide Tools for your reference.

Most of the Below tools available in OWASP LIVE CD v 2.0

Install from
OWASP Guide Page(s)
httprint Web Site Commercial see also N/A No 52
telnet Web Site GPLv3 source No 58
Site Digger (Foundstone) Web Site Commercial see also N/A No 66, A-331 .Net
Burb Suite Web Site Other see also N/A No 66, 134, 243, 275, A-332 Java .jar file
wikto Web Site Commercial N/A No 62, 66, 106, A-331 .Net
googlegath Web Site FOSS source No 66 Perl
SSLDigger Web Site Commercial see also N/A No 84, A-332 .Net
curl Web Site MIT/X derivate license see also source No 99, 106, A-334
nikto Web Site GPL source No 99, 106 Perl
nessus Web Site Commercial N/A No 62, 84, 99, 106 Write an install guide
nc Web Site as-is source No 46, 104, A-332 The original
netcat Web Site GPL source No No (see nc) GNU re-write of nc
SPIKE Proxy Web Site GPL source No 106 Python
Xenu Web Site Freeware but no source N/A No 106, A-334 Windows binary
brutus Web Site dead? 122, 123, A-332 Unable to locate
THC Hydra Web Site GPL v2 source No 123, A-332
John the Ripper Web Site GPL v2 source No 123, A-332
Add and Edit Cookies Web Site MPL 1.1 source No 140 FF Add-on
cookie digger Web Site Commercial N/A No 162 .Net
SQLiX Web Site FOSS source Yes 200, A-331 Perl
SLQInjector Web Site unknown, source provided N/A No 200, 210, 217, 227, A-331 Windows Binary
Sqlbftools Web Site FOSS source No 200, 217, A-331 Perl version also available here
sqlmap Web Site GPL v2 source SoC 2007 Web Site] 200, 217, 227, A-331 Python
sqlninja Web Site GPL v2 source No 200, 210, 217, 227, A-331 Perl
SqlDumper Web Site FOSS source No 200, 217, A-331 Java – site is in Italian & nice flash demo
OraScan Web Site Commercial N/A No 210 Windows binary
NGSSSQuirreL Web Site Commercial N/A No 210 Windows binary
Integrigy Web Site Commercial Freeware N/A No 86 Windows binary
tnscmd Web Site GPL source No 90, A-332 Perl
Toad Web Site Commerical, Trial & Freeware versions N/A No 88, 90, A-332 Windows binary
NTOIncide Web Site No 66 Appears to be no longer supported or available
Bobcat Web Site Unknown, no source N/A No 227 Windows binary
Softerra LDAP browser Web Site Freeware N/A No 230 Windows binary
OllyDbg Web Site GPL source No 261, 266, A-332 Windows software
Spike Web Site GPL source No 261, 266, A-331, A-332
BFBTester Web Site GPL source No 261, 266, A-332
Metasploit Web Site Metasploit Framework License v1.2 source No 261, 266, 275, 293, A-332 Ruby
ITS4 Security Scanner Web Site Non-Commercial see also source No 271
idabase Web Site Commercial No 271 Appears to no longer be available in this form
format string builder Web Site FOSS source No 271 Pen Test list post
XSS-Proxy Web Site FOSS source No 275 Perl
EICAR file Web Site Freeware? source No 298 Anti-Virus test file
TCPreplay Web Site BSD source No 300 manual
Sprajax Web Site LGPL source Yes 313, A-331 .Net
Venkman Web Site FOSS likely MPL source No 314 FF Add-on
Ghost Train Web Site No 314 Unable to locate. Referenced here
Squish Web Site Commercial N/A No 314
JsUnit Web Site GPL, LGPL MPL source No 314 Also an Eclipse plugin
OWASP Pantera Web Site GPL, LGPL source Yes A-331 Python
Achilles Proxy Web Site Freeware N/A No A-331 Windows binary
Odysses Web Site Freeware N/A No A-331 Windows binary
webstretch Web Site GPL v2 .jar only No A-331 Java
LiveHTTP Headers Web Site MPL ? source No A-331 FF Add-on
Absinthe Web Site GPL v2 source No A-331 .Net and Mono
OWASP WSFuzzer Web Site LGPL source Yes A-332 Python
stack No 261 Unable to locate
RATS Web Site GPL source No A-333
FlawFinder Web Site GPL v2 source No A-333 Python
FxCop Web Site Freeware N/A No A-333 Windows binary download here
splint Web Site GPL source No A-333
BOON Web Site BSD style license source No A-333
Pscan Web Site No A-333 Site unavailable
Watir Web Site BSD source No A-333 Ruby
HtmlUnit Web Site Apache 2 source No A-333 Java
JWebUnit Web Site GPL source No A-333 Java
Canoo WebTest Web Site Apache 2 source No A-333 Java
HttpUnit Web Site FOSS see also source No A-334 Java
Watij Web Site GPL source No A-334 Java
Solex Web Site Apache source No A-334 Java
Selenium Web Site Apache 2.0 source No A-334

Live CD - OWASP - Open Web Application Security Project :



Reference : OWASP Live CD

Wednesday, August 15, 2012

Live CD - OWASP - Open Web Application Security Project


Open Web Application Security Project is a worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. 

 OWASP Live CD project was originally started to update the previous OWASP Live CD 2007.

OWASP Live CD installed to a physical or virtual hard drive (VMware) is available and work continues on making other versions of the project available including a bootable USB, portable VM installation, an installation for the Asus Eee PC. These are either downloadable files or instructions on how to create the alternate delivery mechanisms.

OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories:
  • PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.
  • DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.
  • LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).

Video Tutorial :

OWASP Live CD Download Link : Web Testing Environment (WTE) ISO

Username : owasp / Password  : owasp

OWASP Live CD VMWare Image Download Link : OWASP-livecd.vmx

Thanks to RRN Technologies Team