Thursday, December 31, 2009

SQL Injection Resources

(from Robert Portvliet)

Here's list of some (SQL Injection) resources I had put together, a good portion of it is probably covered in the Phoenix OWASP list, but here it is anyway:

Vulnerable WebApps:

GOAT - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

MOTH - http://www.bonsai-sec.com/en/research/moth.php

Damn Vulnerable Web App - http://www.dvwa.co.uk/

Mutillidae - http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Hackme Bank - http://www.foundstone.com/us/resources/proddesc/hacmebank.htm

Hackme Travel - http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm

Hackme Shipping -
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm

Hackme Casino - http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm

Videos & webcasts:

OWASP Appsec NYC 2008 -
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference

Caught in the web series - http://www.coresecurity.com/content/ondemand-caught

Invasion of the browser snatchers series -
http://www.coresecurity.com/content/on-demand-snatchers

Advanced SQL injection -
http://www.irongeek.com/i.php?page=videos/joe-mccray-advanced-sql-injection

Websec 101 - http://www.foundstone.com/us/websec101.asp

Hackme Bank & Hackme Travel videos-
http://www.foundstone.com/us/resources-videos.asp

Tools

Samurai Web Testing Framework (Live CD which contains most tools
needed to perform web assesment) - http://samurai.inguardians.com

Methodologies

OWASP Testing Guide -
http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

Cheat Sheets

SQL Injection Cheat Sheet -
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

SQL Injection Cheat Sheet - http://michaeldaw.org/sql-injection-cheat-sheet

SQL Injection Cheat Sheet w/ filter evasion - http://ha.ckers.org/sqlinjection/

SQL Injection Cheat Sheets sorted by DB -
http://pentestmonkey.net/index.php?option=com_content&task=category&sectionid=9&id=24&Itemid=1

XSS Cheat Sheet w/ filter evasion - http://ha.ckers.org/xss.html

Web App Assesment Cheat Sheet -
http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf

Books:

Web Application Hackers Handbook - http://portswigger.net/wahh/

Whitepapers & slides-

OWASP article on Web application penetration testing -
http://www.owasp.org/index.php/Web_Application_Penetration_Testing

Advanced SQL injection -
http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

Best of web application penetration testing tools -
http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf

(The next two papers are a little old, but still quite useful)

Advanced SQL Injection in SQL Server -
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

(More) Advanced SQL Injection in SQL server -
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

Sunday, December 13, 2009

OWASP APPSEC RESEARCH 2010, 2nd CALL FOR PAPERS

Submission is now open for the upcoming OWASP AppSec Research conference, June 21-24, 2010 in Stockholm, Sweden --
http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden .

* TOPICS OF INTEREST *
We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas:
  • Web application security
  • Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0, offline support, etc)
  • Security in web services, REST, and service oriented architectures
  • Security in cloud-based services
  • Security of frameworks (Struts, Spring, ASP.Net MVC etc)
  • New security features in platforms or languages
  • Next-generation browser security
  • Security for the mobile web
  • Secure application development (methods, processes etc)
  • Threat modeling of applications
  • Vulnerability analysis (code review, pentest, static analysis etc)
  • Countermeasures for application vulnerabilities
  • Metrics for application security
  • Application security awareness and education
* TYPES OF SUBMISSION *
  1. Publish or Perish. Peer-reviewed 12 page papers to be published in formal proceedings by Springer-Verlag (Lecture Notes in Computer Science, LNCS). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
  2. Demo or Die. A demo proposal should consist of a pdf with a 1 page abstract summarizing the matter proposed by the speaker(s) and 1 page containing demo screenshot(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
  3. Present or Repent. A presentation proposal should consist of a 2 page extended abstract representing the essential matter proposed by the speaker(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
Full instructions can be found on the conference webpage
http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden.
If you have any questions regarding submissions etc, please email john.wilander@owasp.org.

* IMPORTANT DATES *

Submission deadline: February 7th 23:59 (Apia, Samoa time).
Decision notification: April 7th
Conference: June 21st - 24th

* PROGRAM COMMITTEE *

  • John Wilander, Omegapoint and Linköping University (chair)
  • Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)
  • Lieven Desmet, Katholieke Universiteit Leuven
  • Úlfar Erlingsson, Reykjavík University and Microsoft Research
  • Martin Johns, University of Passau
  • Christoph Kern, Google
  • Engin Kirda, Institute Eurecom
  • Ulf Lindqvist, SRI International
  • Benjamin Livshits, Microsoft Research
  • Sergio Maffeis, Imperial College London
  • John Mitchell, Stanford University
  • William Robertson, UC Berkeley
  • Andrei Sabelfeld, Chalmers UT
A warm welcome from the OWASP community!

Regards, John Wilander

Friday, December 4, 2009

OWASP Foundation monthly board meetings

OWASP Foundation holds monthly board meetings to keep the principals on track of the foundation to address items that roll-up from the Global Committees http://www.owasp.org/index.php/Global_Committee_Pages

On the next board meeting Dec 1st we will WELCOME Eoin Keary and Matt Tesauro as new members of the board. As a reminder and for transparency ("O" in OWASP = Open) here is the current agenda http://www.owasp.org/index.php/OWASP_Board_Meeting_December_1,_2009_Agenda you are always welcomed to listen in as the meetings are OPEN to the public

If you believe that there is a pressing issue in your chapter/project or collective region of the world that falls into one of the following "buckets" (Membership, Industry, Projects, Chapters, Conferences, Education) your conduit is the appropriate global committee (see webpage for contact information for each of them) they are FOCUSED and EMPOWERED to resolve or address it. Monthly the Global Committees roll up information as a verbal update/written proposal from the committee chair, some people may know this process as a a cross-functional roll up type of meeting and in addition to sometimes daily one-on-one calls, this monthly call is a 60 min "state of the union" update.

Hope this provides insight.. there have been several questions about this since the 2009 Summit that took place in Washington, DC last month.

Tom Brennan

OWASP AppSec Research 2010 2nd Call for Papers

Submission is now open for the upcoming OWASP AppSec Research conference, June 21-24, 2010 in Stockholm, Sweden.

Types of Submission

  1. Publish or Perish. Peer-reviewed 12 page papers to be published in formal proceedings by Springer-Verlag (Lecture Notes in Computer Science, LNCS). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
  2. Demo or Die. A demo proposal should consist of a pdf with a 1 page abstract summarizing the matter proposed by the speaker(s) and 1 page containing demo screenshot(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
  3. Present or Repent. A presentation proposal should consist of a 2 page extended abstract representing the essential matter proposed by the speaker(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
Topics of Interest

We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas:

• Web application security
• Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0, offline support, etc)
• Security in web services, REST, and service oriented architectures
• Security in cloud-based services
• Security of frameworks (Struts, Spring, ASP.Net MVC etc)
• New security features in platforms or languages
• Next-generation browser security
• Security for the mobile web
• Secure application development (methods, processes etc)
• Threat modeling of applications
• Vulnerability analysis (code review, pentest, static analysis etc)
• Countermeasures for application vulnerabilities
• Metrics for application security
• Application security awareness and education

Full instructions can be found on the conference webpage http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=CFP. If you have any questions regarding submissions etc, please email john.wilander@owasp.org.

Important Dates
Submission deadline: February 7th 23:59 (Apia, Samoa time).
Decision notification: April 7th
Conference: June 21st - 24th

Program Committee

• John Wilander, Omegapoint and Linköping University (chair)
• Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)
• Lieven Desmet, Katholieke Universiteit Leuven
• Úlfar Erlingsson, Reykjavík University and Microsoft Research
• Martin Johns, University of Passau
• Christoph Kern, Google
• Engin Kirda, Institute Eurecom
• Ulf Lindqvist, SRI International
• Benjamin Livshits, Microsoft Research
• Sergio Maffeis, Imperial College London
• John Mitchell, Stanford University
• William Robertson, UC Berkeley
• Andrei Sabelfeld, Chalmers UT

About OWASP

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. We can be found at www.owasp.org.

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

301-275-9403
kate.hartmann@owasp.org
Skype: kate.hartmann1