Current Version: 0.70 (Public Beta)
- Evaluation of Web Application Security Scanners - Evaluation of Web Application Firewalls - Developer Training - Web Honeypots - Web Application hacking contests (or evaluations) - Whatever your mind can come up with!
- Website installer: SiteGenerator_IIS_Website_Setup v0.70.msi
- Gui Installer: Owasp_SiteGenerator_v0.70.msi
- Source Code: Owasp_SiteGenerator_v0.70_SourceCode.zip
Installation and configuration notes
- Before you install the website do this (assuming a windows 2003 image)
- Create a new Application pool, call it SiteGeneratorSystemAppPool), and configure it to run under System
- Create a new website and point it to a local directory (the website installation files will be copied here)
- Configure the new website to run Asp.Net 2.0
- Create a new Application in that website and set the application pool to SiteGeneratorSystemAppPool
- Add a IIS wildcard Application Mapping (accessible via Home Directory -> Configuration) to C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll and untick the 'Verify that file exists'
- Note: On Windows XP the OK button might appear disable. You will need to browse to the file and then select the location and also put a dot in from of the asterik (i.e. .*) for the OK button to be enabled.
- Make sure Default.htm is one of the files included in the default document list (in the 'Documents' tab)
- Configure the Website's IP Address to be 127.0.0.1, and click on the Advanced button to add a new host header mapping
- IPAddress: 127.0.0.1
- TCP Port: 80
- Host Header Value: SiteGenerator
- Install the WebSite (selecting as the target the website created in the previous step)
- Install the GUI
- Add this line to your hosts file (located in C:\windows\system32\drivers\etc\hosts)
- 127.0.0.1 SiteGenerator
- Click on the SiteGenerator link that was placed on your desktop
If all goes well you now can browse to http://SiteGenerator or http://127.0.0.1 (depending if you did the mappings or not) and see the default SiteGenerator's website. If you see a blank page, try http://127.0.0.1/Default.htm (you might be getting a cached version of http://127.0.0.1)
Note that the SQL Injection vulnerabilities expect that you have the latest version of HacmeBank (v2.0) installed in your box.
I am in the process of creating several videos (covering the installation and GUI) which I am sure will be very useful and practical. Also if you are interested in helping in the development of SiteGenerator or in its vulnerabilities database, then contact me directly.
Introduction to SiteGenerator
1) this tool has been sponsored by Foundstone, BUT (and it is a big but) it is being released under the Owasp .Net Project and an Open Source Licence. So Kudos for Foundstone for doing this and I hope they get good exposure from it
3) There are many ways this tool can be used, here are just a couple starting ideas:
a) As a training tool since it allows the creation of multiple websites with multiple variations of vulnerabilities b) As a Web Application Honeypot (since we are able to create dynamic ( i.e. false) websites and track / monitor in real-time all requests made) c) As a test ground for newly discovered vulnerabilities types and its exploit vectors d) As a benchmark for Web Security Scanners
4) The Web Security Scanner benchmarking and testing is the most obvious short-term application for this tool, but I think that as it evolves the others will be proven to be as (if not more) valuable
5) On the Web Security Scanner issue:
6) Regarding how the tool works, here is a brief technical description:
There are two main components: A webserver (which can be IIS or a custom webserver) and a GUI application (written in C# 2.0). The Gui Application is responsible for handling all mappings (from the virtual requests to the actual pages on disk) and there is an unmanaged C++ DLL loaded by both which implements a Shared Memory to send and receive data between them.
The current version is hardcoded to IIS, although in the code there is support for using a custom .Net webserver. This IIS version uses an HttpHander to capture all requests and communicate with the GUI Application (called SiteGeneratorGUI). The previous version used C++ Detours to hook all sorts of functions in either IIS or the Custom Webserver (this worked ok, but ultimately I decided to use IIS since it was much more robust and scalable
The dynamic websites are defined by XML files like this (which are edited on the GUI Application using the WYSIWYG Altova Authentic Browser Object (SPS files created via Altova's StyleVision application)):
<?xml version="1.0" encoding="utf-8" ?> <SiteGenerator name="SiteGenerator Demo" xmlns:ipo=" http://www.altova.com/IPO" xmlns="http://www.xmlspy.com/schemas/orgchart" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <site> <folder name=""> <file mappedTo="aspx/Default.aspx" name="HelloWorld.aspx" /> <folder name="htm" /> <folder name="aspx"> <file mappedTo="aspx/pages.htm" name="pages.htm" /> <file mappedTo="aspx/xss.aspx" name="xss.aspx" /> <file mappedTo="aspx/SqlInjection_Easy.aspx" name=" SqlInjection.aspx" /> <file mappedTo="aspx/SqlInjection_Hard.aspx" name=" SqlInjection2.aspx" /> </folder> <folder name="flash"> <file mappedTo="flash/cromas_xml.swf" name="cromas_xml.swf" /> <file mappedTo="flash/cromas_xml.htm" name="menu.htm" /> <file mappedTo="/flash/cromas_menu.xml" name="cromas_menu.xml" /> </folder> </folder> </site> </SiteGenerator>
SiteGeneratorGUI.exe and IIS will map the virtual name "HelloWorld.aspx" to the file on disk "aspx/Default.aspx" . For example: http://localhost/HelloWorld.aspx --> F:\Owasp SiteGenerator\SiteGenerator_ContentPages\aspx\Default.aspx
So to create new websites all you need to do is to create a new XML file
Then to create new vulnerabilities type, all you need to create in an Aspx page and map it to the xml file
7) the tool is still in Beta, so please be patient with it. The code is still a bit in mess, since there are multiple past experiments in there which I will need to clean up