OWASP H2H Tool Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP H2H Tool Project
H2H is an opensource project allowing to detect all entry points of web applications developped in Java. Entry point and EndPoint are defined and explained in these articles : https://digitalguardian.com/resources/data-security-knowledge-base/endpoint-detection-and-response-edr and Gartner http://www.gartner.com/technology/reprints.do?id=1-26F1285&ct=141223&st=sb. From our point of view most web applications written in Java are made of spaghetti code and use more and more complex frameworks. H2H aims at making easier the job of detect vulnerabilities of Web applications written in Java by showing them all endpoints. That means focusing on the code, written by the project's developpers, that answers to requests (http requests, RMI calls, etc.) We could have made a list of all servlets, filters or listeners but, with frameworks such as Spring or JSF, granularity is not enough. That's because these frameworks expose their own component (servlet/listener) first, then dispatch the request (according to the uri or a context) to the code developped by the project. H2H analyze all the most used/frequent frameworks to get all the endpoints.

Notre objectif est de trouver 100% des points d'entrée pour améliorer la couverture de test lors des Pentest ou des audits de sécurité. Our purpose is to find 100% endpoints to improve the coverage of test during Pentests or security audit.

Description
H2H is a java agent which realizes several tasks :


 * H2H scan the entire application and all frameworks to list all endpoints. Here is the list of components analyzed by H2H (framework)


 * It is possible to activate a sensor in H2H that monitore each endpoint. For example, this monitoring allows during a Pentest to know if all scenarios have all been through all endpoints.


 * It is possible to activate a sensor in H2H that monitore each endpoint's performance

Visualization of entry points can be done via a new url added by H2H or by the application H2H-Web Vizualisation Project

The project is composed ​of 2 sub-project​s​ : the Core : Agent for Java project and the web : interface for user​-friendly.

Licensing
H2H is a open source project with licence Apache 2.

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP XXX and any contributions are Copyright &copy; by {the Project Leader(s) or OWASP} {Year(s)}.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Project Resources
Main Page

Core Project

Vizualisation Project

Documentation

Issue Tracker

Project Leader
Damien Kerbart Jean-Louis Boudart Guillaume Dufour Nicolas Poirier

Classifications

 * valign="top" style="padding-left:25px;width:200px;" |

News and Events

 * [12 Aout 2015] First Release
 * }

=FAQs=

Coming soon

How can I participate in your project?
Fork our repository Github and Pull request !

== Installation

For core : https://github.com/highway-to-urhell/highway-to-urhell/blob/master/README.md

For Web-Project : https://github.com/highway-to-urhell/highway-to-urhell-web/wiki

= Acknowledgements =

Contributors
The first contributors to the project were:


 * [Jean-Louis Boudart]
 * [Damien Kerbart]
 * [Guillaume Dufour]
 * [Nicolas Poirier]

= Road Map and Getting Involved =


 * Add Performance Counter for next Release
 * Add export configuration for Apache, F5, Nginx

=Project About=