Difference between revisions of "OWASP Security Blitz"

From OWASP
Jump to: navigation, search
(June contents, YouTube videos from getmantra channel)
m (Reverted edits by Micheal w s mcnamee (talk) to last revision by D0ubl3 h3lix)
 
(25 intermediate revisions by 6 users not shown)
Line 6: Line 6:
 
As an individual please create material on the monthly security topic. If you have recently created material that is relevant to the month at hand then please link it in the section below.  As mentioned above, the goal is to have a variety of perspectives (builder, breaker, defender, policy, etc) and types of content (tools, docs, videos, code patches, etc)
 
As an individual please create material on the monthly security topic. If you have recently created material that is relevant to the month at hand then please link it in the section below.  As mentioned above, the goal is to have a variety of perspectives (builder, breaker, defender, policy, etc) and types of content (tools, docs, videos, code patches, etc)
  
==Companies / Organizations / Universitites==
+
==Companies / Organizations / Universities==
 
Please consider launching an internal awareness program to coincide with the security blitz. This will allow all of us to pool resources and maximize the impact of each month's topic.
 
Please consider launching an internal awareness program to coincide with the security blitz. This will allow all of us to pool resources and maximize the impact of each month's topic.
  
 
=Monthly Security Topics=
 
=Monthly Security Topics=
* 2012 - [https://www.owasp.org/index.php/OWASP_Security_Blitz#April_-_SQL_Injection April - SQL Injection]
+
* 2012 - April - SQL Injection
* 2012 - [https://www.owasp.org/index.php/OWASP_Security_Blitz#May_-_Cross_Site_Scripting May - Cross Site Scripting]
+
* 2012 - May - Cross Site Scripting
 
* 2012 - June - Access Control
 
* 2012 - June - Access Control
* 2012 - July - Mobile Security  
+
* 2012 - July - Mobile Security
 
* 2012 - August - Threat Modeling
 
* 2012 - August - Threat Modeling
 +
* 2012 - September - SSL
 +
* 2012 - October - Cloud Security
 +
* 2012 - November - Web Services Security
 +
* 2012 - December - TBD
 +
  
 
== Articles/Contributions/Updates==
 
== Articles/Contributions/Updates==
Line 20: Line 25:
  
 
===April - SQL Injection===
 
===April - SQL Injection===
# [https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet OWASP Parameterization Cheat Sheet]
+
# [http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_InjectionFlaws_BlindSQLInjection/WebGoat_InjectionFlaws_BlindSQLInjection.html OWASP WebGoat - Blind SQL Injection with JHijack] (Breaker)
 +
# [https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet OWASP Parameterization Cheat Sheet] (Builder)
 
# [http://thepowerofapostrophe.blogspot.in/ The Power of the Apostrophe blog] (funny)
 
# [http://thepowerofapostrophe.blogspot.in/ The Power of the Apostrophe blog] (funny)
# [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet OWASP SQL Injection Cheat Sheet]
+
# [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet OWASP SQL Injection Cheat Sheet] (Builder)
  
 
===May - Cross Site Scripting===
 
===May - Cross Site Scripting===
# [https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet OWASP XSS Prevention Cheat Sheet] (Builder)
 
 
# [http://ha.ckers.org/xss.html XSS cheat sheet] (Breaker)
 
# [http://ha.ckers.org/xss.html XSS cheat sheet] (Breaker)
 +
# [http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html XSS: Gaining access to HttpOnly Cookie in 2012] (Breaker)
 +
# [http://yehg.net/lab/pr0js/pentest/flash-xsser.php Flash-based XSSer] (Breaker)
 +
# [http://yehg.net/lab/pr0js/pentest/ie-referer-xsser.php IE Referer XSSer] (Breaker)
 +
# [http://seckb.yehg.net/2012/06/using-post-method-to-bypass-ie-browser.html Using POST method to bypass IE-protected XSS](Breaker)
 +
# [https://www.owasp.org/index.php/DOM_Based_XSS Dom Based XSS] (Breaker)
 +
# [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series AppSec Tutorial Project - Cross Site Scripting] ([http://www.youtube.com/watch?v=_Z9RQSnf8-g Video Link]) (Breaker)
 +
# [http://yehg.net/lab/pr0js/training/view/misc/joomla-1.5.20_encoded-xss/ Double-Nibble-URI XSS on Joomla! 1.5.20] (Breaker)
 +
# [http://yehg.net/lab/pr0js/training/view/misc/Hacking%20Rapidshare%20With%20XSS/ Infamous compromise of user account credential with XSS] (Breaker)
 +
# [http://yehg.net/e PHP Charset Encoder] (Breaker)
 +
# [http://yehg.net/lab/pr0js/pentest/CAL9000/ CAL9000] (Breaker)
 +
# [http://utf-8.jp/ utf8.jp's JS Encoders] (Breaker)
 +
# [http://code.google.com/p/xssf/ XSSF: Cross Site Scripting Framework] (Breaker)
 +
# [http://labs.neohapsis.com/2012/04/19/xss-shortening-cheatsheet/ XSS Shortening Cheat Sheet] (Breaker)
 +
# [http://labs.neohapsis.com/2012/04/25/abusing-password-managers-with-xss/ Abusing Password Managers with XSS] (Breaker)
 +
# [http://seckb.yehg.net/2011/02/attribute-based-cross-site-scripting.html Attribute-based XSS When Encoding Double Quotes is NOT Enough] (Builder)
 
# [https://developer.mozilla.org/en/Introducing_Content_Security_Policy Content Security Policy] (Builder)
 
# [https://developer.mozilla.org/en/Introducing_Content_Security_Policy Content Security Policy] (Builder)
# [https://www.owasp.org/index.php/DOM_Based_XSS Dom Based XSS]
+
# [https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet OWASP XSS Prevention Cheat Sheet] (Builder)
 
# [https://www.owasp.org/index.php?title=DOM_based_XSS_Prevention_Cheat_Sheet Dom Based XSS Prevention Cheat Sheet] (Builder)
 
# [https://www.owasp.org/index.php?title=DOM_based_XSS_Prevention_Cheat_Sheet Dom Based XSS Prevention Cheat Sheet] (Builder)
# [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series AppSec Tutorial Project - Cross Site Scripting] ([http://www.youtube.com/watch?v=_Z9RQSnf8-g Video Link])
 
# [http://labs.neohapsis.com/2012/04/25/abusing-password-managers-with-xss/ Abusing Password Managers with XSS] (Breaker)
 
# [http://labs.neohapsis.com/2012/04/19/xss-shortening-cheatsheet/ XSS Shortening Cheat Sheet] (Breaker)
 
  
 
===June - Access Control===
 
===June - Access Control===
Line 39: Line 56:
 
## [http://www.youtube.com/watch?v=o1WVx6eYE-M Broken Session Management]
 
## [http://www.youtube.com/watch?v=o1WVx6eYE-M Broken Session Management]
 
## [http://www.youtube.com/watch?v=yTbB42sR208 Broken Authentication]
 
## [http://www.youtube.com/watch?v=yTbB42sR208 Broken Authentication]
 +
# [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws OWASP WebGoat - Access Control Flaws] (Breaker)
 +
# [http://blog.portswigger.net/2011/03/burp-v14-preview-testing-access.html BurpSuite - Testing access controls using your browser]  (Breaker)
 +
# [http://blog.portswigger.net/2011/03/burp-v14-preview-comparing-site-maps.html BurpSuite - Comparing site maps]  (Breaker)
 +
# [http://yehg.net/lab/pr0js/training/view/misc/Exploiting_LogicFlaw/exploiting-logicflaw.html Gaining access through netcat] (Breaker)
 +
 +
=== July- Mobile Security ===
 +
#[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Security_Testing_Guide Mobile Testing Guide] (Breaker)
 +
#[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls OWASP/ENISA Top 10 Mobile Controls] (Defender)
 +
#[http://www.shaunzinck.com/2012/07/analyzing-iphone-traffic-with-your.html Intercepting iPhone Traffic with your MacBook] (Breaker)
 +
 +
=== August - Threat Modeling ===
 +
 +
=== September - SSL ===
 +
 +
=== October - Cloud Security ===
 +
 +
=== November - Web Services Security ===
 +
 +
=== December - TBD ===

Latest revision as of 07:46, 21 November 2012

Contents

About

OWASP is starting a monthly security blitz where we will rally the security community around a particular topic. The topic may be a vulnerability, defensive design approach, technology or even a methodology. All members of the security community are encouraged to write blog posts, articles, patches to tools, videos etc in the spirit of the current monthly topic. Our goal is to show a variety of perspectives on the topic from the different perspectives of builders, breakers and defenders.

How Can You Help?

Individual Experts

As an individual please create material on the monthly security topic. If you have recently created material that is relevant to the month at hand then please link it in the section below. As mentioned above, the goal is to have a variety of perspectives (builder, breaker, defender, policy, etc) and types of content (tools, docs, videos, code patches, etc)

Companies / Organizations / Universities

Please consider launching an internal awareness program to coincide with the security blitz. This will allow all of us to pool resources and maximize the impact of each month's topic.

Monthly Security Topics

  • 2012 - April - SQL Injection
  • 2012 - May - Cross Site Scripting
  • 2012 - June - Access Control
  • 2012 - July - Mobile Security
  • 2012 - August - Threat Modeling
  • 2012 - September - SSL
  • 2012 - October - Cloud Security
  • 2012 - November - Web Services Security
  • 2012 - December - TBD


Articles/Contributions/Updates

Please add links to any stories, posts, articles, etc that are related to the current month

April - SQL Injection

  1. OWASP WebGoat - Blind SQL Injection with JHijack (Breaker)
  2. OWASP Parameterization Cheat Sheet (Builder)
  3. The Power of the Apostrophe blog (funny)
  4. OWASP SQL Injection Cheat Sheet (Builder)

May - Cross Site Scripting

  1. XSS cheat sheet (Breaker)
  2. XSS: Gaining access to HttpOnly Cookie in 2012 (Breaker)
  3. Flash-based XSSer (Breaker)
  4. IE Referer XSSer (Breaker)
  5. Using POST method to bypass IE-protected XSS(Breaker)
  6. Dom Based XSS (Breaker)
  7. AppSec Tutorial Project - Cross Site Scripting (Video Link) (Breaker)
  8. Double-Nibble-URI XSS on Joomla! 1.5.20 (Breaker)
  9. Infamous compromise of user account credential with XSS (Breaker)
  10. PHP Charset Encoder (Breaker)
  11. CAL9000 (Breaker)
  12. utf8.jp's JS Encoders (Breaker)
  13. XSSF: Cross Site Scripting Framework (Breaker)
  14. XSS Shortening Cheat Sheet (Breaker)
  15. Abusing Password Managers with XSS (Breaker)
  16. Attribute-based XSS When Encoding Double Quotes is NOT Enough (Builder)
  17. Content Security Policy (Builder)
  18. OWASP XSS Prevention Cheat Sheet (Builder)
  19. Dom Based XSS Prevention Cheat Sheet (Builder)

June - Access Control

  1. From OWASP Mantra YouTube channel (Breaker)
    1. URL Access
    2. Broken Session Management
    3. Broken Authentication
  2. OWASP WebGoat - Access Control Flaws (Breaker)
  3. BurpSuite - Testing access controls using your browser (Breaker)
  4. BurpSuite - Comparing site maps (Breaker)
  5. Gaining access through netcat (Breaker)

July- Mobile Security

  1. Mobile Testing Guide (Breaker)
  2. OWASP/ENISA Top 10 Mobile Controls (Defender)
  3. Intercepting iPhone Traffic with your MacBook (Breaker)

August - Threat Modeling

September - SSL

October - Cloud Security

November - Web Services Security

December - TBD