Monday, July 30, 2012

Halting the spread of socially transmitted diseases

by Mike Samuel ( )

Social websites are making it easier than ever to share content but promiscuous sharing of HTML not only helps teenagers find an outlet for pent up creative energy -- it also provides an easy vector for internet worms.  Sandboxes like Caja and HTML5's "sandbox" attribute allow safe embedding of dynamic HTML, but either suffer limited availability, lack flexibility, or require significant work to integrate.

OWASP's HTML Sanitizer for Java is a flexible, easy to deploy, and easy to configure solution that scales to large volume servers and can be used either stand-alone or as part of a defense-in-depth with other protective layers.

Prevents Code Injection

OWASP’s HTML Sanitizer scrubs dynamic code from HTML that might listen for keystrokes, steal credentials, annoy your users with downloads of malware, or engage in other unapproved activity.

Preserves Trusted Path

By default, OWASP’s HTML Sanitizer removes form inputs including password inputs so untrusted content cannot phish your users from inside your own website, and it reworks CSS styles so that your site can use CSS clipping to restrict third-party content a visually distinct region.

Preserves Search Rank

OWASP’s HTML Sanitizer can rewrite links so that search engines won’t treat them as endorsed by your website.  With a bit of configuration, the same mechanism can rewrite image sources to let you proxy images and/or avoid mixed-content warnings by requiring HTTPS everywhere.


OWASP's HTML Sanitizer is easy to configure.  It comes with a variety of pre-packaged policies that work out of the box, and when you need more control, you can write custom configurations using simple Java code that benefits from your IDE’s auto-complete features instead of learning a new dialect of XML.


OWASP’s HTML Sanitizer understands CSS as well as HTML so third-party authors can style their content.


OWASP’s HTML Sanitizer was designed for large volume servers.  It does not build large temporary data structures in memory, and policies have no mutable state so can be shared efficiently by many threads without incurring a lock cost.

For more info

To get started, visit to find example code, download links, instructions on Maven integration, and links to our discussion and support page.

Share safely.

Wednesday, July 25, 2012

OWASP BWA VM version 1.0 released

Hello OWASP Leaders,

Today, I am proud to announce the release of the OWASP Broken Web
Applications Project VM version 1.0. This new release is now available
for download from
If you are not familiar with the project, we produce a VM containing a
variety of web applications with security vulnerabilities.  A list of
the applications included on the current 1.0 release is at the bottom
of this email for your reference.

In addition to just using the applications, the VM has a few other
interesting features:

- Samba shares for editing and viewing source code, configuration
files, and log files
- Scripts for easily recompiling applications (that need compilation
for source code changes to take effect)
- ModSecurity is installed and the OWASP Core Rule Set can be easily enabled

One major effort we have undertaken as part of the 1.0 release is to
update the project documentation.  We now have a relatively detailed
User Guide at

Going forward, my plans for the project are to:
- Work to move the project "up the list" to a be a "Stable Quality"
OWASP project.
- Continue to improve documentation
- Continue to catalog vulnerabilities in the VM
- Periodically release new versions as the applications included on
the VM are updated.

I welcome any feedback and contributions to this project.  Feel free
to email me directly or join our Google Group.  I will also be
demonstrating the new release at the Black Hat USA Arsenal this week,
so you can also catch me there if you will be in Vegas.

Chuck Willis

The lists below are current as of the 1.0 release of OWASP BWA.

Training Applications -  Applications designed for learning which
guide the user to specific, intentional vulnerabilities.

- OWASP WebGoat version 5.4+SVN (Java)
- OWASP WebGoat.NET version 2012-07-05+GIT
- OWASP ESAPI Java SwingSet Interactive version 1.0.1+SVN
- Mutillidae version 2.2.3 (PHP)
- Damn Vulnerable Web Application version 1.8+SVN (PHP)
- Ghost (PHP)

Realistic, Intentionally Vulnerable Applications - Applications that
have a wide variety of intentional security vulnerabilities, but are
designed to look and work like a real application.

- OWASP Vicnum version 1.5 (PHP/Perl)
- Peruggia version 1.2 (PHP)
- Google Gruyere version 2010-07-15 (Python)
- Hackxor version 2011-04-06 (Java JSP)
- WackoPicko version 2011-07-12+GIT (PHP)
- BodgeIt version 1.3+SVN (Java JSP)

Old Versions of Real Applications - Open source applications with one
or more known security issues.

- WordPress 2.0.0 (PHP, released December 31, 2005) with plugins:
  o myGallery version 1.2
  o Spreadsheet for WordPress version 0.6
- OrangeHRM version 2.4.2 (PHP, released May 7, 2009)
- GetBoo version 1.04 (PHP, released April 7, 2008)
- gtd-php version 0.7 (PHP, released September 30, 2006)
- Yazd version 1.0 (Java, released February 20, 2002)
- WebCalendar version 1.03 (PHP, released April 11, 2006)
- Gallery2 version 2.1 (PHP, released March 23, 2006)
- TikiWiki version 1.9.5 (PHP, released September 5, 2006)
- Joomla version 1.5.15 (PHP, released November 4, 2009)
- AWStats version 6.4 (build 1.814, Perl, released February 25,2005)

Applications for Testing Tools - Applications designed for testing
automated tools like web application security scanners.

- OWASP ZAP-WAVE version 0.2+SVN (Java JSP)
- WAVSEP version 1.2 (Java JSP)
- WIVET version 3+SVN (Java JSP)

Demonstration Pages / Small Applications - Little applications or
pages with intentional vulnerabilities to demonstrate specific

- OWASP CSRFGuard Test Application version 2.2 (Java)
- Mandiant Struts Forms (Java/Struts)
- Simple ASP.NET Forms (ASP.NET/C#)
- Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

OWASP Demonstration Applications - Demonstration of an OWASP
application. Does not contain any intentional vulnerabilties.

- OWASP AppSensor Demo Application (Java)

Monday, July 23, 2012

OWASP 2012 Election Information

  • Eoin Keary 
  • Yiannis Pavlosoglou 
  • Tom Brennan
  • Jim Manico
  • Justin Derry
  • Matt Tesauro

Timeline for Election: 

1. Board director candidate registration deadline: July 10, 2012
2. Honorary membership application deadline: July 31, 2012 Honorary Membership Self Nomination Form
 **Note: All OWASP paid members are qualified voters. If you are a paid member, no action is needed from you prior to voting.  Honorary membership will be granted to Active Committee Members, Chapter Leaders & Project Leaders. Your leadership position must be on file prior to 31-July 2012 in order to be eligible for the 2012 honorary membership.  If you are NOT a paid member, and you are a chapter or project leader, or member of a Global Committee then you MUST apply for a OWASP Honorary Membership if you would like to vote in the election by completing the Honorary Membership Self Nomination Form. If you are not a paid member yet, please use the following link to JOIN OWASP.
3. Paid membership deadline: August 31, 2012
4. Electronic Voting period: October 12 - October 19, 2012
5. Election results announcement: October 19, 2012

Thank you,
The Global Membership Committee

Tuesday, July 17, 2012

OWASP iOS Developer Cheat Sheet

Greetings OWASP friends,

There's a new cheat sheet available in the OWASP cheat sheet series. This one is aimed at iOS app developers, and is available here:

I consider it a first shot at providing some useful tips for iOS devs. I used the excellent work done on the DRAFT Mobile Security Risks list by Jack Mannino et al as a starting point. But without a doubt, I'm sure it could use some more fleshing out and detailing.

Even still, I hope it provides some value and utility for iOS devs. I know I'll be referring people to it in my own iOS classes.

Special thanks to Jim Manico for doing the Wiki formatting on this doc! Much appreciated, Jim.  Mahalo nui loa.



Kenneth R. van Wyk
KRvW Associates, LLC

Thursday, July 12, 2012

Results of OWASP Summer Membership Drive

A big thanks to everyone that became a new OWASP member or renewed their membership during our Summer Membership Drive! Over the course of 8 days, we accumulated 160 new members and 40 membership renewals for a total of $10,000 USD raised for OWASP. $4,000 of that will directly go to benefit the OWASP Projects Reboot.

Congratulations to our drawing winners:
(4) OWASP Global AppSec Passes
  • Reg Harnish
  • Justin Derry
  • Charles Herman
  • Brian Hill

(2) BlackHat USA 2012 Briefing Passes
  • Artair Burnett
  • Rajat Swarup

We received some really positive feedback on the community on this initiative as well:

     "Good marketing campaign!"

     " Thanks for the great promotion to remind guys like me that my membership was up for renewal. 
     I am so thankful for OWASP and how it has helped me and my organization. "

      "Love this plan. Brilliant way to drive membership."

... and last but not least, a bit of  excitement from one of the winners of a BlackHat Briefing Pass:

     " [This will be] my first ever conference and trip to Vegas...You are making a simple guys dreams come true. Thank you again." 

Again, thanks to everyone that participated by purchasing a membership or spreading word of this initiative!  

Tuesday, July 10, 2012

OWASP WebGoat .NET Released!

Hello Leaders!

Over the weekend, I pushed out the newest version of WebGoat.NET - the first major release. I've used this version to teach several .NET classes, and the application was received very well, and provided a great playground for developers who want to learn about application security.

The application is not identical to WebGoat Java, nor was it meant to be. But it follows the spirit of the venerable WebGoat that has been a mainstay in appsec classrooms for a decade.
  • In addition to a lessons, WebGoat.NET has an entire sample application built-in, for demonstration purpose.
  • There are a few lessons included, and I'm assembling a team of volunteers to help build out the rest.
  • Runs under Windows (obviously), Linux and OSX with no code changes
  • Uses a MySQL database. Will have optional database choices in the future (SQL Server will be implemented next).
  • Open source / GPL
In the coming months, the WebGoat.NET team and I will be working hard to build out more lessons, put in more .NET specific lessons, and add lesson notes, more challenges and guides.

WebGoat.NET can be downloaded from:

Please download and have fun. Hopefully this will help other people teaching ASP.NET security, and ultimately it will help people self-study once the lesson notes are completed.

Thank you!!

Jerry Hoff

-- Twitter: @jerryhoff
OWASP Appsec Tutorial Series (OATS):

Tuesday, July 3, 2012

OWASP Membership Drive

OWASP Community Members -

For the first 8 days in July we will be conducting a Summer Membership drive in order to promote some of the great things OWASP has to offer!  If you become a paid OWASP member or renew your membership between July 1 and July 8, 2012:

  • 40% of your Membership dues will be put towards the Project Reboot Initiative
  • You will be entered into a raffle for one of 6 great global event passes:  2 BlackHat USA 2012 passes (valued at $2000 each) and 4 passes to the OWASP Global AppSec Event of your choice (valued at $500 each) are up for grabs!
  • Secure your voice in the upcoming election of 3 Global Board of Directors Positions!
To participate, all you need to do is purchase a membership between July 1 and July 8, 2012!  The Raffle will take place during a live Webinar on July 10, 2012.  You do not need to be present to win and all winners will be contacted via email immediately following the Webinar with instructions on claiming their prize.

Details can be found here:

Ready to become an OWASP member or renew now?

Thanks in advance for your support (and help in socializing this message)!