OWASP Basic Expression & Lexicon Variation Algorithms (BELVA) Project

From OWASP
Jump to: navigation, search
OWASP Project Header.jpg


OWASP Basic Expression & Lexicon Variation Algorithms (BELVA) ProjectTool Project

This project is a custom dictionary builder. Often times when pen-testing there are words that are specific to the organization being tested that are not usually found in the large wordlists. Two examples are the name of the organization under assessment or vertical/industry specific keywords associated with the organization. The current tools found generate either too much data per word or were difficult to configure/customize.

Description

This project gives the end user the ability to import data from proxies such as ZAP and burp, substitute letters/numbers/special characters in any given combination, apply policies to select and remove words to fit the organization specific password policies as well as write plugins for extendability. The app also allows the pen tester to create custom username based on policy.

OwaspBELVAv0.1b.png

Licensing

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.

Any contributions are Copyright © by Kenneth F. Belva or OWASP 2016.

Download Project

Source Code

Project Leader

Kenneth F. Belva

Note: This project is dedicated to my dad.

Get Involved

  • Contribute Plugins!

Classifications

Project Type Files TOOL.jpg
Incubator Project Owasp-builders-small.png
Owasp-defenders-small.png
General Public License 3.0

News and Events

  • [9 April 2016] First Version Release
  • [1 April 2016] First Beta Release
  • [21 March 2016] First Alpha Release

To participate, please contact Kenneth F. Belva (the Project Leader) for more information. More FAQs to come over time....

How can I participate in your project?

All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.


If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.


Why am I not getting any data when I run the application?

Be sure an option is always chosen for each of the substitution, mutation and selection policies. This includes selecting the "(0)" policy if no selection is to be made.


Where do I put my data files for import?

All files to import should be put in a single directory. The files may be in sub-directories under the main directory/folder.

Either select a user defined directory with the by clicking on the Directory button under the Import Sources Directory or put all files to be used in a specific run in the importExternalSources directory under the application root.

The application will import all words from each file. If you don't want a specific file imported for a particular run, remove it from the directory before hitting the Run button.

Do you have example input files?

Yes. They are distributed in folder importExternalSources but should be deleted before running.

The current distribution has sample burp xml, ZAP raw, text file wordlists and text file usernames.


I'm getting OWASP & test words in my output. What's wrong?

Be sure to delete the default files in the directory importExternalSources before putting your files in there.

You may also select a different directory.


Do I need to keep the default directories?

No. The default input directories and output file may be changed through the UI.


How can I make a unique set of words without applying any substitutions or policies?

Be sure to select "(0)" in each of the boxes with nothing else.


In what order are the selections applied?

Currently from top down: First, words are substituted. Second, they are mutated. Third, they are checked to see if these transformations match the selection policy.

Reordering the application of the transformations is not available.


Can I import words with special characters?

Yes. Words with special characters is supported.


Does the application do any transformation to the word before processing?

Yes. Words are cased to be all lowercase in order to make sure that they are unique.


Why does my output.txt file keep growing?

To create consolidated dictionaries from different runs the output.txt file is not cleaned or created before each run. See answer below to fix. Future version may provide a checkbox for the option of creating a new file.

The idea is that many instances of the application can point to the same output file so that each may use different criteria and inputs but all the output be sent to one file.


How do I "clean" the output.txt file from last use?

Either delete it or cd into the outputFile directory and type:

   echo "" > output.txt


Which file types are recognized

On importing data (importExternalSources):

   txt, xml and raw [ZAP default] 

On filtering out common words (filterDictionaries)

   txt only


How to Filter A Wordlist to Match Organizational Criteria

  1. Make sure there is a Selection Plugin with proper criteria
  2. If not, write one, put it in the plugin/policies/select directory and restart the app
  3. Put the wordlist -- such as Rockyou -- in the folder importExternalSource directory
  4. Select the two polices: "(0) No Substitution" & "(0) No Mutate Policies"
  5. Select the Selection Policy with your criteria
  6. Hit Run button
  7. Grab a cup of coffee.....


Can I run more than one instance at a time?

Yes. Type:

   ./pyOwaspBELVA.py &

Be aware that without changing the output file per instance the resulting datasets are will be intermingled.


How to import burp xml files for organization specific content

To be written soon and/or video posted.


How to import ZAP raw files for organization specific content

To be written soon and/or video posted.


How to create user id combinations

To be written soon and/or video posted.


How to write a plugin

To be written soon and/or video posted.


To Do

  1. Word selection / automated weighing of which words to use
  2. Interface improvements: better responsiveness
  3. Non-GUI version that directs output to stdout
  4. Expand functionality and add more plug-ins
    • Additional permutation dictionaries
    • Additional applied and removal policies
    • Additional username creation policies
  5. Other types of permutations in addition to just usernames and passwords (i.e., email addresses, sub-domain names)

Getting Involved

Fork the code on git and contribute! :)