OWASP Basic Expression & Lexicon Variation Algorithms (BELVA) Project

=Main=

OWASP Basic Expression & Lexicon Variation Algorithms (BELVA) ProjectTool Project
This project is a custom dictionary builder. Often times when pen-testing there are words that are specific to the organization being tested that are not usually found in the large wordlists. Two examples are the name of the organization under assessment or vertical/industry specific keywords associated with the organization. The current tools found generate either too much data per word or were difficult to configure/customize.

Description
This project gives the end user the ability to import data from proxies such as ZAP and burp, substitute letters/numbers/special characters in any given combination, apply policies to select and remove words to fit the organization specific password policies as well as write plugins for extendability. The app also allows the pen tester to create custom username based on policy.

https://www.owasp.org/images/3/38/OwaspBELVAv0.1b.png

Licensing
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see .

Any contributions are Copyright &copy; by Kenneth F. Belva or OWASP 2016.

Download Project
Source Code

Project Leader
Kenneth F. Belva

Note: This project is dedicated to my dad.

Get Involved

 * Contribute Plugins!

News and Events

 * [21 March 2016] First Alpha Release

=FAQs=

To participate, please contact Kenneth F. Belva (the Project Leader) for more information. More FAQs to come over time....

How can I participate in your project?
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

If I am not a programmer can I participate in your project?
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

Where do I put my data files for import?
Put all files to be used in a specific run in the importExternalSources directory. The application will import all words from each file. If you don't want a specific file imported for a particular run, remove it from the directory before hitting the Run button.

Do you have example input files?
Yes. They are distributed in folder importExternalSources but should be deleted before running.

The current distribution has sample burp xml, ZAP raw, text file wordlists and text file usernames.

I'm getting OWASP & test words in my output. What's wrong?
Be sure to delete the default files in the directory importExternalSources before putting your files in there.

Do I need to keep the default directories?
No. The default input directories and output file may be changed through the UI.

Why does my output.txt file keep growing?
To create consolidated dictionaries from different runs the output.txt file is not cleaned or created before each run. See answer below to fix. Future version may provide a checkbox for the option of creating a new file.

How do I "clean" the output.txt file from last use?
Either delete it or cd into the outputFile directory and type: echo "" > output.txt

Which file types are recognized
On importing data (importExternalSources): txt, xml and raw [ZAP default]

On filtering out common words (filterDictionaries) txt only

How to Filter A Wordlist to Match Organizational Criteria
 Make sure there is a Selection Plugin with proper criteria If not, write one, put it in the plugin/policies/select directory and restart the app Put the wordlist -- such as Rockyou -- in the folder importExternalSource directory Select the two polices: "(0) No Substitution" & "(0) No Mutate Policies" Select the Selection Policy with your criteria Hit Run button Grab a cup of coffee..... </ol>

Can I run more than one instance at a time?
Yes. Type:

./pyOwaspBELVA.py &

Be aware that without changing the output file per instance the resulting datasets are will be intermingled.

How to import burp xml files for organization specific content
To be written soon and/or video posted.

How to import ZAP raw files for organization specific content
To be written soon and/or video posted.

How to create user id combinations
To be written soon and/or video posted.

How to write a plugin
To be written soon and/or video posted.

= Acknowledgements =

Contributors
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. Be sure to provide a link to a complete list of all the amazing people in your project's community as well.

The OWASP Tool Project Template is developed by a worldwide team of volunteers. A live update of project contributors is found here.

The first contributors to the project were:


 * Colin Watson who created the OWASP Cornucopia project that the template was derived from
 * Chuck Cooper who edited the template to convert it from a documentation project to a Tool Project Template
 * YOUR NAME BELONGS HERE AND YOU SHOULD REMOVE THE PRIOR 3 NAMES

= To Do and Getting Involved =

To Do
<ol> Word selection / automated weighing of which words to use</li> Interface improvements: better responsiveness</li> Multi-Threading word permutations from interface</li> Non-GUI version that directs output to stdout</li> Expand functionality and add more plug-ins</li><ul> Additional permutation dictionaries</li> Additional applied and removal policies</li> Additional username creation policies</li></ul> Other types of permutations in addition to just usernames and passwords (i.e., email addresses, sub-domain names)</li> </ol>

Getting Involved
Fork the code on git and contribute! :)

=Project About=

This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project