OWASP H2H Tool Project

From OWASP
Jump to: navigation, search
OWASP Project Header.jpg


OWASP H2H Tool Project

H2H is an opensource project allowing to detect all entry points of web applications developped in Java. Entry point and EndPoint are defined and explained in these articles : https://digitalguardian.com/resources/data-security-knowledge-base/endpoint-detection-and-response-edr and Gartner http://www.gartner.com/technology/reprints.do?id=1-26F1285&ct=141223&st=sb. From our point of view most web applications written in Java are made of spaghetti code and use more and more complex frameworks. H2H aims at making easier the job of detect vulnerabilities of Web applications written in Java by showing them all endpoints. That means focusing on the code, written by the project's developpers, that answers to requests (http requests, RMI calls, etc.) We could have made a list of all servlets, filters or listeners but, with frameworks such as Spring or JSF, granularity is not enough. That's because these frameworks expose their own component (servlet/listener) first, then dispatch the request (according to the uri or a context) to the code developped by the project. H2H analyze all the most used/frequent frameworks to get all the endpoints.

Notre objectif est de trouver 100% des points d'entrée pour améliorer la couverture de test lors des Pentest ou des audits de sécurité. Our purpose is to find 100% endpoints to improve the coverage of test during Pentests or security audit.


Description

H2H is a java agent which realizes several tasks :

  • H2H scan the entire application and all frameworks to list all endpoints. Here is the list of components analyzed by H2H (framework)
  • It is possible to activate a sensor in H2H that monitore each endpoint. For example, this monitoring allows during a Pentest to know if all scenarios have all been through all endpoints.
  • It is possible to activate a sensor in H2H that monitore each endpoint's performance

Visualization of entry points can be done via a new url added by H2H or by the application H2H-Web Vizualisation Project


The project is composed ​of 2 sub-project​s​ : the Core : Agent for Java project and the web : interface for user​-friendly.

Licensing

H2H is a open source project with licence Apache 2.

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP XXX and any contributions are Copyright © by {the Project Leader(s) or OWASP} {Year(s)}.

Project Resources

Main Page

Core Project

Vizualisation Project

Documentation

Issue Tracker


Project Leader

Damien Kerbart
Jean-Louis Boudart
Guillaume Dufour
Nicolas Poirier

Classifications

Project Type Files TOOL.jpg
Incubator Project Owasp-builders-small.png
Owasp-defenders-small.png
Affero General Public License 3.0

News and Events

  • [12 Aout 2015] First Release

Coming soon

How can I participate in your project?

Fork our repository Github and Pull request !

== Installation

For core : https://github.com/highway-to-urhell/highway-to-urhell/blob/master/README.md

For Web-Project : https://github.com/highway-to-urhell/highway-to-urhell-web/wiki

Contributors

The first contributors to the project were:

  • [Jean-Louis Boudart]
  • [Damien Kerbart]
  • [Guillaume Dufour]
  • [Nicolas Poirier]


  • Add Performance Counter for next Release
  • Add export configuration for Apache, F5, Nginx


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: N/A
Purpose: N/A
License: N/A
who is working on this project?
Project Leader(s): N/A
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: N/A
Project Roadmap: Not Yet Created
Key Contacts
  • Contact the GPC to contribute to this project
  • Contact the GPC to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
pending
last reviewed release
pending


other releases