Difference between revisions of "Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
[[:Category:OWASP Project|Click here to return to OWASP Projects page.]]<br>
 
[[:Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project|Click here to see (& edit, if wanted) the template.]]
 
 
{{:Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project}}
 
{{:Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project}}
 
{{:Project Information:template Access Control Rules Tester Project}}
 
{{:Project Information:template Access Control Rules Tester Project}}

Revision as of 11:06, 9 February 2009


PROJECT IDENTIFICATION
Project Name OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project
Short Project Description This project's idea is to split destination web application technology from the three reusable libraries: library of navigational elements, library of vulnerabilities and library of language constructs. Library of navigational elements is required to assess spidering features and library of language constructs is required to assess source code scanners this constructs can be in programming language or preferable in language-independent form of Abstract Syntax Tree. Navigation and vulnerability libraries are independent from technology web application built in. This make is possible to create web applications with similar vulnerabilities in different technologies.

User can create target XML application configuration similar to SiteGenerator's in terms of site structure, navigational elements and vulnerabilities. After that web application can be generated using technology specific generator. Generators can create source code or binary application but not a stub like SiteGenerator. This allows static and dynamic code analysis to be performed on web application and penetration testing too.

This tool and components library should be platform-independent unlike SiteGenerator. And only technology-specific generators may be platform-dependent. Such technology-specific generators can be source code generators or can be binary application template.

Key Project Information Project Leader
Dmitry Kozlov
Project Contributors
(if any)
Mailing list
Subscribe here
Use here
License
GNU General Public License v2
Project Type
Tool
Sponsors
OWASP SoC 08
Release Status Main Links Related Projects

Alpha Quality
Please see here for complete information.

PowerPoint Presentation
http://code.google.com/p/osg2/

OWASP Site Generator



PROJECT IDENTIFICATION
Project Name OWASP Access Control Rules Tester Project
Short Project Description Often web applications contain sensitive data and provide functionality which should be protected from unauthorized access. Explicit access control policies can be leveraged for validating the access control, but, unfortunately, these policies are rarely defined in case of web applications. It is known that access control flaws in web applications may be revealed with black-box analysis, but the existing “differential analysis” approach has certain limitations. We believe that taking the state of the web application into account could help to overcome the limitations of exiting approach.

This project proposes a novel approach to black-box web application testing, which utilizes a use-case graph. The graph contains classes of actions within the web application and their dependencies. By traversing the graph and applying differential analysis at each step of the traversal, it is possible to improve the accuracy of the method. This idea was implemented in the tool AcCoRuTe (Access Control Rules Tester).

Key Project Information Project Leader
Andrew Petukhov
Project Contributors
George Noseevich
Mailing List
Subscribe here
Use here
License
GNU General Public License v2
Project Type
Tool
Sponsors
OWASP SoC 08
Release Status Main Links Related Projects

Beta Quality
Please see here for complete information.

Version 1.1


PPT Presentation from the 1st SysSec Workshop (an updated method presented)
A paper from the 1st SysSec Workshop with an updated method described
A new codebase can be checked out here

Version 1.0


PPT Presentation from OWASP EU Summmit 2009
What are business logic vulnerabilities? - An attempt to define their scope
AcCoRuTe approach described
Google Code Project page
AcCoRuTe version 1.0.0 binaries
AcCoRuTe User Guide

If any, add link here


This category currently contains no pages or media.