OWASP Forward Exploit Tool Project

From OWASP
Revision as of 12:57, 23 December 2010 by Marcos Mateos Garcia (Talk | contribs)

Jump to: navigation, search

Main

Welcome to the Forward Exploit Tool Project

This project is intended to develop a tool to exploit OWASP Top Ten 2010 - A10: Unvalidated Redirects and Forwards vulnerability, focused in the unvalidated "forwards".

The main reason for the Forward Exploit Tool is that there is no tool for this fact, as far as I know. On the other hand, I have seen this problem in several applications that I've analysed in last times, besides this problem has been included in the recent OWASP Top Ten 2010.

Overview

Unvalidated Forwards can be used to bypass access controls, specific or standard access control. For an automatized tool is difficult to exploit specific facts, but can work well with standard situations. So, the focus is standard access control in Java applications, like restricted directory /WEB-INF. Below this directory is all deployed application files: binary/compiled files, configuration, etc. In Java, compiled files (class) can be easily de-compiled to obtain source code.
The impact: compromise all files, including source code, information hardcoded (credentials, SQL clauses, IP addresses, etc.). This is a high-critical impact.

How it works

TBD

Download

TBD Download from SourceForge


Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Forward Exploit Tool Project (home page)
Purpose: This projects aims to develop a tool to exploit Top 10 2010 - A10 - Unvalidated Forward vulnerability to bypass access control to protected Java application files (config, binary -source code, etc.). It aims also to automate the download of known files in Java Web applications.
License: LGPL v3
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases