OWASP FOSBBWAS (code name Beretta)

Jump to: navigation, search

Download: http://www.devcafe.co.uk/beretta/downloads.htm

This project aims to create a:

  • Commercial quality open source black box web application scanner that is:
    • Extensible
    • Customizable
    • Scaleable
    • Robust
    • User Friendly
    • Methodical
  • The objective is to:
    • Help developers to create secure and robust Web applications
    • Help System administrators and professional Pen-Tester to identify vulnerable Web Applications
    • Create tests for the OASIS WAS database, OWASP Testing Guide and

OWASP PenTesting Checklist


  • Unzip the downloaded files (duh..!)
  • Restore the Beretta Db file to your SQL 2000 database server and create a user to access this database
  • Move the unzipped Beretta application directory to somewhere in your web server root
  • Set the necessary NTFS permissions
  • Create a virtual directory in IIS to this newly created directory
  • Modify the Web.config keys databaseConnection, and siteRoot to the relevant values.
  • Modify the Web.config key "outputDir" to be the physical path of the "output" directory beneath the web application root. XML scan reports will be created here
  • Make sure ~/output/ has write permissions for the user ASP.net is running under
  • Open up an internet browser and browse to the virtual directory you created
  • Enter login details (defaults below)

Username: admin Password: pass

  • You should now be logged into the application. Foundstones hacme bank is a good place to start experimenting with Beretta.
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.