DEADLINE REMINDER
The deadline for Paid and Honorary Membership is this Sunday, Sept 30 for eligibility to vote in the upcoming 2012 Election. Please see https://www.owasp.org/index.php/Membership/2012_Election for more information.
Using the link above please check to be sure you are a current paid member. If you are not, please consider becoming a member today https://www.owasp.org/index.php/Newmembership Your donation will help to continue to provide vendor neutral services and to continue to develop quality tools and documentation in our open source community.
If you would like to apply for honorary membership please complete the honorary membership form before September 30, 2012.
https://docs.google.com/a/owasp.org/spreadsheet/embeddedform?formkey=dHA4dno2TlhSa0pVSUNQclZCOWROV0E6MQ
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
Friday, September 28, 2012
Thursday, September 27, 2012
AppSec USA 2012: Training Promotions, Deadlines, WASPY Awards, and Open Source Showcase
OWASP Community Members -
A few updates and reminders on our upcoming global event: AppSec USA 2012 taking place on October 23-26 at the Hyatt Regency in downtown Austin, Texas!
IN THIS MESSAGE:
Training Promotions | Reserve your hotel room by October 1 | Register by Sept. 30 | Conference Schedule | Waspy Awards | Open Source Showcase | Thanks to our Sponsors
TRAINING PROMOTIONS
Win a free pass to Sherif Koussa's Training: Writing Secure J2EE Code
Winner must solve a Java riddle plus get the most amount of retweets, LI comments and likes or Facebook likes.
For details go to: http://www.slideshare.net/ skoussa/how-good-of-a-java- developer-are-you
Several of our trainers have decided to offer a "3 for 2" deal on their training course. If your company wants to send 3 people to a training course - you can do it for the price of 2 training registrations. Put it another way - buy 2 training registrations, get a third for free! If you are interested in taking advantage of this promotion email sarah.baso@owasp.org for registration instructions and a discount code. Training classes included in this offer:
- 1 Day Training (Wed, Oct 24) Web Application Secure Defensive Coding Bootcamp (Jim Manico and Eoin Keary)
- 1 Day Training (Wed, Oct 24) CISO Training: Managing Web & Application Security – OWASP for Senior Managers (Tobias Gondrom)
- 1 Day Training (Wed, Oct 24) The Art of Exploiting SQL Injection (Sumit Siddharth)
- 2 Day Training (Tues& Wed, Oct 23-24) .NET Secure Coding (Erez Metula)
- 2 Day Training (Tues& Wed, Oct 23-24) Tactical Defense with ModSecurity (Josh Amishav-Zlatin)
To learn more about all of our training courses, visit: http://www.appsecusa. org/schedule/trainings/
DEADLINE: RESERVE YOUR HOTEL ROOM BY OCTOBER 1
The Hyatt has extended the cut-off date for our room block at the discounted rate of $189/night to OCTOBER 1. Dont get stuck cabbing it every day, get your hotel room today. Book at the Hyatt Regency Austin under our discounted rate > https://resweb.passkey.com/ Resweb.do?mode=welcome_ei_new& eventID=6604435
REGISTER BY SEPTEMBER 30th
Registration prices go up by $100 after September 30th, So sign up today for a great deal: http://www.appsecusa.org/ register/
CONFERENCE SCHEDULE
We have released the schedule (still subject to change) at schedule.appsecusa.org and the mobile version at m.appsecusa.org. You can create your own personal schedule, connect with other attendees and even import your schedule into Outlook or iCal.
Web Application Security of the Year (WASPY) Award
Every year a group of individuals including researchers, developers, security professionals and others work to ensure the security of web applications. Some of these individuals are featured in news stories or at conferences as recognized experts. But there are many other ‘unsung heroes’ that work every day to improve web application security and yet are rarely recognized. This year OWASP will initiate the first annual Web Application Security Person of the Year (WASPY) award. The WASPY awards are solely funded by sponsors.
We would like to thank our Platinum Sponsor Qualys and our Silver Sponsor Trustwave for their additional contributions to this award.
It's not too late to sponsor the WASPY awards. Please contact Kelly Santalucia kelly .santalucia@owasp.org for more information or with any questions you may have.
OPEN SOURCE SHOWCASE
Don't miss the OWASP Open Source Showcase starting on Thursday, October 25th and ending on Friday, October 26th! A handful of open source projects were selected to showcase, demo, and promote their work at the AppSec USA conference this year.
The projects showcasing are:
The Open Source Showcase is a great opportunity to participate in live demos, and meet the Project Leaders face to face. The showcases run from 9:00am to Noon, and from 2pm to 5pm on both Thursday and Friday. Please contact projects@owasp.org for more information.
- OWASP Hackademic Challenges
- Armitage
- ThreadFix
- Brakeman
- ModSecurity
- Mantra OS
The Open Source Showcase is a great opportunity to participate in live demos, and meet the Project Leaders face to face. The showcases run from 9:00am to Noon, and from 2pm to 5pm on both Thursday and Friday. Please contact projects@owasp.org for more information.
THANKS TO OUR SPONSORS!
We are EXTREMELY thankful to our donors and sponsors:
Adobe, NTOBJECTives, Aspect Security, Checkmarx, iMPERVA, Cigital, Qualys, NetSPI, Veracode, IBM, f5, WhiteHat, Army INSCOM, Trustwave Spiderlabs, Impact Security, Denim Group, Gemalto, Gotham Digital Science, Symplified, Blueinfy, Core Security Technologies, Radware, RSA Security, Rapid7, Falling Rock, and Pwnie Express.
Adobe, NTOBJECTives, Aspect Security, Checkmarx, iMPERVA, Cigital, Qualys, NetSPI, Veracode, IBM, f5, WhiteHat, Army INSCOM, Trustwave Spiderlabs, Impact Security, Denim Group, Gemalto, Gotham Digital Science, Symplified, Blueinfy, Core Security Technologies, Radware, RSA Security, Rapid7, Falling Rock, and Pwnie Express.
THANK YOU! We couldn't pull this off without your generous support!
OWASP AppSec USA 2012, Austin TX
Training: October 23-24,
OWASP AppSec USA 2012, Austin TX
Training: October 23-24,
Tuesday, September 25, 2012
OWASP Membership Deadline
Hello all,
I would like to remind everyone ONE LAST TIME of the September 30, 2012 membership deadline for eligibility to vote in the OWASP election. The members of the committee are not paid marketing people, or paid by OWASP for our efforts; we are all volunteers, just like you. We pay membership because we want to support our local chapter, OWASP projects, and other efforts to raise awareness of critical software security issues.
OWASP needs your donation to continue to provide vendor neutral services and to continue to develop quality tools and documentation in our open source community.
For less than $1/week, you can support your local chapter and vote in the Global OWASP Election.
Become a member Today!
https://www.owasp.org/index.php/Newmembership
If you are already a paid member, than please accept our sincere thank you for your continued support.
Honorary members can also vote in the election. If you would like to apply for honorary membership please complete the honorary membership form before September 30, 2012.
https://docs.google.com/a/owasp.org/spreadsheet/embeddedform?formkey=dHA4dno2TlhSa0pVSUNQclZCOWROV0E6MQ
Respectfully,
Helen Gao, CISSP
Global Membership Committee Chair
https://www.owasp.org/index.php/Global_Membership_Committee#Membership_Committee
I would like to remind everyone ONE LAST TIME of the September 30, 2012 membership deadline for eligibility to vote in the OWASP election. The members of the committee are not paid marketing people, or paid by OWASP for our efforts; we are all volunteers, just like you. We pay membership because we want to support our local chapter, OWASP projects, and other efforts to raise awareness of critical software security issues.
OWASP needs your donation to continue to provide vendor neutral services and to continue to develop quality tools and documentation in our open source community.
For less than $1/week, you can support your local chapter and vote in the Global OWASP Election.
Become a member Today!
https://www.owasp.org/index.php/Newmembership
If you are already a paid member, than please accept our sincere thank you for your continued support.
Honorary members can also vote in the election. If you would like to apply for honorary membership please complete the honorary membership form before September 30, 2012.
https://docs.google.com/a/owasp.org/spreadsheet/embeddedform?formkey=dHA4dno2TlhSa0pVSUNQclZCOWROV0E6MQ
Respectfully,
Helen Gao, CISSP
Global Membership Committee Chair
https://www.owasp.org/index.php/Global_Membership_Committee#Membership_Committee
Monday, September 17, 2012
OWASP ZAP – the Firefox of web security tools
My name is Simon Bennetts, and I am the ZAP Project Leader; there
is also an international group of volunteers who develop and support it.
Future posts on the ZAP blog
will describe the features that ZAP provides and how you can use them,
but this post will concentrate on the philosophy behind ZAP.
Some of the ideals that have driven ZAP are listed below and will be expanded upon in the rest of this post:
- help users develop and apply application security skills
- build a competitive, open source, and community oriented platform
- provide an extensible platform for testing
- designed to be easy to use
- raise the bar for other security tools
Helping users learn about Application Security
Unlike many security tools ZAP is designed to be used by people new to application security as well as security professionals.
My background is in development, and I started
playing around with the Paros Proxy (from which I forked ZAP) as a way
to learn about security tools. Helping people to learn about application
security has been, and will remain, an essential goal for ZAP.
The open nature of ZAP is key here – users can
delve into the code to see how it works. Anyone who thinks they can make
an improvement has the opportunity to implement those changes, feed
them back and be credited for them. Developers can work on ZAP to help
them learn about security, and security people can work on ZAP to help
them learn about coding.
An Open Source, Community based project
Like all OWASP projects, ZAP is open source and
completely free to use. This means that there is no ‘pro’ version, so
there is no incentive for us to hold back features for the ‘paid-for’
version. ZAP is also a community based project, which is an important
distinction when compared with some other tools.
There are many security tools that are open
source but are still tightly controlled by one individual or company.
While a user can see how these products work it is often difficult to
change them or influence their direction.
Anyone can get involved with the ZAP development –
once someone has shown that they can produce good quality code and
conform to ZAP guidelines then they can get commit access!
There are plenty of opportunities for non coders to get involved
too – testing, documentation, training videos, translating – all
contributions are welcomed and credited.
An Extensible platform for testing web applications
In addition to improving the core feature set for
ZAP, we are working to ensure that as much of ZAP functionality is
implemented as extensions or addons, which can easily be added to
existing ZAP releases. This means that new features can be added
dynamically without having to wait for full ZAP releases, and also means
that we can accommodate features that will only appeal to a small
subset of our users.
The ZAP community is very supportive of people
who want to learn about coding or security, and we have just benefited
from 3 students producing excellent enhancements to ZAP as part of the Google Summer of Code.
Ease of use as a design goal
We realize that developers and functional testers
will probably spend a relatively small amount of time using security
tools, so we want ZAP to be as intuitive as possible.
But we try to maintain a balance between making things as simple as possible while at the same time not over simplifying them.
While there is no ‘big red button’ in ZAP which will solve all of your security problems,
ZAP provides a set of automated tools which will help individuals assess the security of applications.
ZAP also provides a set of manual tools which can
be used by people with more knowledge, which is one of the reasons it
has been so enthusiastically adopted by professional pentesters.
Inexperienced users can start off using the automated tools and
gradually use more and more of the manual features as they improve their
knowledge of application security.
Raising the bar for security tools
Another way ZAP can help application security in
general is by raising the bar for other security tools, commercial or
otherwise. Other products are free to reuse our source code (with
acknowledgement;) and also free to copy or be ‘inspired’ by features
that are implemented in ZAP.
In fact we welcome such reuse as it will provide the following benefits:
- improving other tools, which increases user choice
- broadens the availability of effective security tools
- allows feature parity across tools which will drive innovation and competition
Conclusion
In conclusion, ZAP is a free, open-source community developed tool
aimed at making the online world more secure. Anyone can get involved
developing the core engine, or by creating addons which have full access
to the core functionality. And that will probably sound vaguely
familiar as its very close to the philosophy behind Mozilla Firefox.
Its why I’m working for Mozilla as a security automation engineer, and the justification for this blog’s title:)
If you have any interest in application security then you should
download ZAP and try it out. And if you would like to learn more, or
help to make ZAP better then please get in touch with me.
Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Automation Engineer
Thursday, September 13, 2012
OWASP Candidate Interviews Posted and New Election Timeline Information
The OWASP election is rapidly approaching! The candidate interviews have been posted. Please scroll to the bottom of https://www.owasp.org/ index.php/Membership/2012_ Election and listen to the candidate interviews.
Honorary Membership: Has been reopened and extended until Sept 30 EOD. Please see 2012 Election to find out if you are eligible. If you are qualified, you MUST complete the Honorary Membership Form.
Paid Membership: The deadline has been extended to Sept 30 EOD. OWASP paid Individual Members, paid Corporate Members and Honorary Members registered as of September 30 will have one (1) vote per seat. There are 3 seats up for the election. You can check here to see if you are a paid member of OWASP using our Member Look Up
Your vote counts! If you are not a paid member, we encourage you to join OWASP today https://www.owasp.org/ index.php/Membership_Map
Tuesday, September 11, 2012
AppSec USA 2012: Training, Conference Schedule, and More
The OWASP AppSec USA 2012 team has exciting updates for the October 23-26, 2012 event
taking place at the Hyatt Regency in downtown Austin, Texas!
IN THIS MESSAGE:
IN THIS MESSAGE:
Training | Conference Schedule Released | Reserve your hotel room by Sept. 23 | 5K for Charity | Movie Sneak Preview: Reboot | Register | Thanks to our Sponsors
TRAINING
Ready to learn the art of SQL injection? Got it. Advanced Threat Modeling? You're covered. Taking OWASP WTE (OWASP Live CD) to the next level? Learn from its maintainer! Hardening your .NET or J2EE code? Be instructed by masters of the craft Erez Metula (author of "Managed Code Rootkits") and Sherif Koussa (lead developer on WebGoat5.0 and lead instructor at Secure Code Gurus). We even have training for CISOs looking for info on setting up, managing and improving their global information security organization using mature OWASP projects and tools.
Learn more about our 1-day and 2-day classes> http://www.appsecusa. org/schedule/trainings/
OWASP AppSec USA 2012 is also offering a FREE Pass ($375 value) to a half-day pre-Conference Developer Training – for developers new to Application Security and the OWASP Community > http://owasp.blogspot.com/
CONFERENCE SCHEDULE RELEASED
We have released the schedule (still subject to change) at schedule.appsecusa.org and the mobile version at m.appsecusa.org. You can create your own personal schedule, connect with other attendees and even import your schedule into Outlook or iCal.
BOOK YOUR HOTEL ROOM BEFORE IT IS TOO LATE!
Dont get stuck cabbing it every day, get your hotel room today. Our special discount rate of $189/night is ending on Sept 23 and the conference hotel is filling up. Book at the Hyatt Regency Austin under our discounted rate > https://resweb.passkey.com/ Resweb.do?mode=welcome_ei_new& eventID=6604435
5K FOR CHARITY
AppSec USA 2012 5k Race to be held prior to conference sessions on Friday. The $50 fee includes race support and a limited edition Nike Dri-Fit t-shirt. All proceeds will be donated to the OWASP Projects Reboot initiative (https://www.owasp.
If you’ve already registered for AppSec and would like to attend, simply LOG IN HERE and add it to your agenda. If you have not already registered for AppSec, you should REGISTER TODAY to reserve your pass.
MOVIE SNEAK PREVIEW: REBOOT
We are very excited to announce a special sneak preview of the new film “Reboot” at OWASP AppSec USA 2012! Set within a dystopian world that is a collision between technology and humanity, “Reboot” touches upon many of the current social and political concerns that arise from becoming more and more intertwined with the virtual.
In contemporary Los Angeles, a young female hacker (Stat) awakens from unconsciousness to find an iPhone glued to her hand and a mysterious countdown ticking away on the display. Suffering from head trauma, and with little recollection of who she is or what is happening, Stat races against time to figure out what the code means, and what unknown event the pending zero-hour will bring.
Only 300 passes are available for this special screening at AppSec and it has already been added as an OPTIONAL AGENDA ITEM for our attendees. If you’ve already registered for AppSec and would like to attend, simply LOG IN HERE and add it to your agenda. If you have not already registered for AppSec, you should REGISTER TODAY to reserve your pass.
REGISTER
Register early and save money. Register a large group and save even more. And if you're a student, the savings are huge. So sign up today for a great deal, and please spread the word to students in computation, information protection, forensics, and law. We need more people to secure the world's systems. Registration is open and prices go up by another $50 on September 30th!
http://www.appsecusa.org/
THANKS TO OUR SPONSORS
We are EXTREMELY thankful to our donors and sponsors:
Adobe, NTOBJECTives, Aspect Security, Checkmarx, iMPERVA, Cigital, Qualys, NetSPI, Veracode, IBM, f5, WhiteHat, Trustwave Spiderlabs, Impact Security, Denim Group, Gemalto, Gotham Digital Science, Symplified, Blueinfy, Core Security Technologies, Radware, RSA Security, Rapid7, Falling Rock, and Pwnie Express.
THANK YOU! We couldn't pull this off without your generous support!
Thanks all.
OWASP AppSec USA 2012, Austin TX
Training: October 23-24,
Free half-day developer training at AppSec USA
For a Limited Time Only
FREE Pass ($375 value) to pre-Conference OWASP AppSec USA 2012 Training
Offer for Developers New to Application Security and the OWASP Community
What: FREE half-day training
Course Title: Web Application Secure Defensive Coding Boot Camp
Instructors: Jim Manico & Eoin Keary
Jim Manico is an OWASP volunteer who leads the OWASP Cheat Sheet Series and produces the OWASP Podcast Series. Jim is also theVP of Security Architecture at WhiteHat Security. Jim provides secure coding and developer awareness training for WhiteHat Security using his 8+ years of experience delivering developer-training courses for SANS, Aspect Security and others. He brings 16 years of database-driven Web software development and analysis experience to WhiteHat and OWASP.
He is also an international board member, and vice chair of OWASP, The Open Web Application Security Project (owasp.org). During his time in OWASP he has lead the OWASP Testing and Security Code Review Guides and also contributed to OWASP SAMM, ASVS and the OWASP Cheat Sheet Series. Eoin has led global security engagements for some of the world’s largest financial services and consumer products companies. He is a well known technical leader in industry in the area of software security and penetration testing.
When: Morning or Afternoon session:
§ Tuesday, October 23, 2012; 8:00 AM to 12:00 PM
§ Tuesday, October 23, 2012; 1:00 PM to 5:00 PM
Why: Regardless of your chosen/mandated framework for building web applications: Spring, Struts, Rails, PHP, Python, etc., you want to make your life easier, and potentially less embarrassing. Don’t be the one who left the door open for hackers. Learn handy tips from one of the world’s leading AppSec experts.
Who is Eligible: Developers (dev managers welcome, assign people from your team to attend). Bring yourself, no materials required.
Where: Austin Hyatt Regency Downtown; 208 Barton Springs Road, Austin TX
Register here:
§ Morning session: http://appsectrainingmorning. eventbrite.com/
§ Afternoon session: http:// appsectrainingafternoon. eventbrite.com/
Disclaimer: First come, first served, there is limited capacity. Offer is for developers new to application security and the OWASP Community. Register by October 8, 2012.
Don’t miss this opportunity because OWASP AppSec USA is hosted in Austin this year! In addition, register for AppSec USA 2012 www.appsecusa.org (more training on Wednesday, October 24; full conference Thursday-Friday, October 25-26).
Monday, September 3, 2012
OWASP 1-Liner
by @johnwilander
OWASP 1-Liner is a deliberately vulnerable Java- and JavaScript-based chat application where users communicate via so called one-liners. A one-liner is a short text message sent into cyberspace, open to read for anyone accessing the system. The app is intended for demos and training in application security.
IMPORTANT:
OWASP 1-Liner is released under the Creative Commons Attribution-ShareAlike 3.0 Unported license. Full details can be found in the LICENSE_CC3.txt file in this project.
Other licensed software bundled in:
Note, we seem to have some problems running the application in IE. Bug reports are welcome.
There is no central management for SSL certificates so you have to determine the validity of the certificate on each application.
$ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "Give_a_name" -i "the_extracted_certificate"
Further contributors in alphabetical order:
OWASP 1-Liner is a deliberately vulnerable Java- and JavaScript-based chat application where users communicate via so called one-liners. A one-liner is a short text message sent into cyberspace, open to read for anyone accessing the system. The app is intended for demos and training in application security.
IMPORTANT:
- OWASP 1-Liner contains several serious security holes intended for demonstrations and application security training. Do not trust it with any kind of sensitive information such as usernames or passwords you use for regular sites and systems.
- OWASP 1-Liner is an official OWASP project, originally released at OWASP AppSec Research 2012 in Athens.
Contents
A. License and Attribution B. Quick Start C. Purpose D. Project Structure E. Build and Deploy F. ContributorsA. Licence and Attribution
If you use the OWASP 1-Liner you should attribute its original author John Wilander and the OWASP Foundation. Thank you!OWASP 1-Liner is released under the Creative Commons Attribution-ShareAlike 3.0 Unported license. Full details can be found in the LICENSE_CC3.txt file in this project.
Other licensed software bundled in:
- Ext JS 4 from Sencha which is under the GNU General Public License (GPLv3), please see LICENSE_GPL3.txt.
- jQuery and the jQuery Cookie plugin which are under the MIT license, please see LICENSE_MIT.txt.
- jQuery encoder by Chris Schmidt. Please see LICENSE_JQUERY_ENCODER.txt.
- OWASP AntiSamy which is licensed under BSD 2. The project refers to the template which is available in LICENSE_BSD_2.txt.
- One slightly modified file from BeEF, namely hook.js with a setTimeout call to beef_init(). BeEF is licensed under the Apache License, version 2.0. Please see LICENSE_APACHE_2.0.txt.
- Several Java libraries and of course Java itself. All of these dependencies are found in the build.gradle file and their respective licenses can be found at each project's site.
B. Quick Start
OWASP 1-Liner is deployed on your own machine. This is the quickest way to get going:- Clone https://github.com/johnwilander/owasp-1-liner (this repo if you're on GitHub right now) using Git
- Enter '127.0.0.1 local.1-liner.org' and '127.0.0.1 attackr.se' in your hosts file
- Make sure you have Gradle installed
- Go to the root folder of your cloned OWASP 1-Liner in a shell
- Execute 'gradle jettyRun'
- Surf to https://local.1-liner.org:8444
- Check out the OWASP_1-Liner_Demos.txt file for demo inspiration
C. Purpose
The purpose of the OWASP 1-Liner Project is to provide the application security community with a modern (at least as per 2012 :) Java- and JavaScript-based web application suited for both demonstrations and training.D. Project Structure
OWASP 1-Liner is built up of two implementations:- OWASP 1-Liner Vulnerable – the deliberately insecure version of the app
- OWASP 1-Liner Securish – a more secure version of the same app
E. Build and Deploy
OWASP 1-Liner is a Gradle application. You download the source, build, and deploy on your own machine. The intention is to allow for live coding and patching. The suggested IDE is Jetbrains' IntelliJ.Clone the Repository
Go to https://github.com/johnwilander/owasp-1-liner and clone the repo to your local machine using Git.Install Gradle
On Mac OS X
If you're on Mac OS X and use Homebrew you can just run 'brew install gradle' in a shell.On Windows 7
- Go to http://www.gradle.org/, download and unzip Gradle
- Add the environment variable 'GRADLE_HOME' and then add 'GRADLE_HOME\bin' to the Path variable
On Linux
- Go to http://www.gradle.org/, download and unzip Gradle
- Edit the PATH in the environment file, e.g. $ sudo nano /etc/environment
- Add the following to the environment file:
- PATH = "... :$GRADLE_HOME/bin"
- GRADLE_HOME="gradle_directory".
- Reload environment variables: $ source /etc/environment
- Add symbolic links to the usr/bin folder: $ sudo ln -sf /gradle_directory/bin/* /usr/bin/.
Configuring local domain names
You have to access the apps through proper URLs (not IP numbers or "localhost") so you need to set up fake domain names in your hosts file.On Mac OS X
- Open /etc/hosts as root in an editor, e.g sudo emacs /etc/hosts
- Add these lines:
- 127.0.0.1 local.1-liner.org
- 127.0.0.1 attackr.se
On Windows 7
- Run an editor (e.g. Notepad) as administrator
- Open C:\Windows\System32\drivers\etc\hosts in the editor
- Add these lines:
- '127.0.0.1 local.1-liner.org'
- '127.0.0.1 attackr.se'
On Linux
- Open and edit as root the file /etc/hosts, e.g. $ sudo gedit /etc/hosts
- Add these lines:
- '127.0.0.1 local.1-liner.org'
- '127.0.0.1 attackr.se'
Build and run on Jetty
OWASP 1-Liner uses the Jetty plugin for Gradle to run the apps.- Go to the root folder of the cloned in a shell, for instance /opt/workspace/owasp_1-liner/
- gradle jettyRun
Dependencies
Check the build.gradle file for dependencies.How to set up trusted SSL
On Mac OS X
Below are instructions on how to get browsers without their own trusted CAs list (i e Chrome and Safari) to accept your applications self-signed SSL cert for https://local.1-liner.org:8444.- Open a shell and cd to the app root dir (that's where you'll see the keystore file)
- If the supplied certificate has expired or you want to replace it for some other reason, run Java's keytool like
this (the password is always '1-liner' without single-quotes):
- keytool -delete -alias jetty -keystore keystore
- keytool -keystore keystore -alias jetty -genkey -keyalg RSA
- Be sure to enter local.1-liner-org as CN (stated as first and last name in the creation process).
- Enter the password '1-liner' without single-quotes for both passwords
- keytool -export -keystore keystore -alias jetty -file jetty-ssl.keystore.cer
- Open you keychain manager and select the "System" keychain
- Archive -> Import, select your new .cer file, enter OS X admin password
- Double click the newly imported cert, expand trust, mark for SSL – Always trust
- Reload the page in your browser and now it should be accepted
On Windows 7
- Click Start button and enter "certmgr.msc" in the search box.
- Go to 'Trusted Root Certification Authorities'
- Right click
- Pick "All tasks" -> Import -> Next -> Browse
- Find the location of the OWASP 1-Liner certificate in the source root
- Next -> Finish -> Yes -> OK
Note, we seem to have some problems running the application in IE. Bug reports are welcome.
On Linux
If the supplied certificate has expired or you want to replace it for some other reason, follow steps 1 and 2 under "On Mac OS X" in a shell.There is no central management for SSL certificates so you have to determine the validity of the certificate on each application.
Firefox
Hit https://local.1-liner.org:8444 and then select 'I understand the risks' -> 'Add Exception' -> 'Get Certificate' -> 'Confirm security exception'.Chromium
It does not have a SSL certificate manager. So, the certificate has to be added to the NSS Shared DB with the use of lbnss3-tools, which has to be installed. Use Firefox to export the certificate to a file as PEM. Then type in a shell$ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "Give_a_name" -i "the_extracted_certificate"
F. Contributors
Original and main developer is John Wilander.Further contributors in alphabetical order:
- Paraskevi "Vicky" Simita
Subscribe to:
Posts (Atom)