Difference between revisions of "SpoC 007 - Attacks Reference Guide"

From OWASP
Jump to: navigation, search
 
(3 intermediate revisions by 2 users not shown)
Line 2: Line 2:
  
  
'''AoC Candidate''':  NSRAV Security Research Group
+
'''AoC Candidate''':  NSRAV Security R&D
  
'''Project coordinator''': TBA
+
'''Project coordinator''': Dinis Cruz
  
'''Project Progress''': 70% Complete, [[SpoC 007 - Attacks Reference Guide - Progress Page|Progress Page]]
+
'''Project Progress''': 100% Complete, [[SpoC 007 - Attacks Reference Guide - Progress Page|Progress Page]]
  
==  NSRAV Security Research Group - Attacks Reference Guide ==
+
==  Leonardo Cavallari & Matteo Nava - NSRAV Security R&D - Attacks Reference Guide ==
  
  
===  Background Information ===
+
===  Introduction ===
  
[http://nsrav.lsi.usp.br/ NSRAV] is a security research center located at [http://www2.usp.br/portugues/index.usp University of Sao Paulo] Brazil, with more than 10 years on the information security field. Our team is formed by PhDs, MSc, graduate and post-graduate students and security specialists with GIAC/SANS and CISSP certifications.
+
Leonardo Cavallari & Matteo Nava are security specialists of [http://www.evaltec.com.br E-VAL Technologies] and coordinators of [http://nsrav.lsi.usp.br/ NSRAV], a security research center located at [http://www2.usp.br/portugues/index.usp University of Sao Paulo] Brazil, with more than 10 years on the information security field. The team is formed by PhDs, MSc, graduate and post-graduate students and security specialists with GIAC/SANS and CISSP certifications.
  
We develop research and consulting activities in almost every field of information security, focused on EHT, Web applications, IDS/IPS and detection techniques, grid security, among others. The group is leaded by [http://www.lsi.usp.br/~leonardo/ Leonardo Cavallari Militelli] and Matteo Nava.  
+
The team develops research and consulting activities in almost every field of information security, focused on EHT, Web applications, IDS/IPS and detection techniques, grid security, among others.
  
 
=== Our Expectations ===
 
=== Our Expectations ===
Line 46: Line 46:
 
=== Long-Term Vision for the Project ===
 
=== Long-Term Vision for the Project ===
  
We expect that with a worldwide contribution, the Attack and Vulnerability reference guides can become the most complete and updated security reference available. Also, we expect to create cross-reference among OWASP documents, using the same concepts, definitions, and categories in order to inter-link all the documents.
+
We expect that with a worldwide contribution, the Attack and Honeycomb project can become the most complete and updated security reference available. Also, we expect to create cross-reference among OWASP documents, using the same concepts, definitions, and categories in order to inter-link all the documents.
  
  
 
'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''
 
'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

Latest revision as of 13:33, 28 January 2008

Back to SpoC 007 Selection page


AoC Candidate: NSRAV Security R&D

Project coordinator: Dinis Cruz

Project Progress: 100% Complete, Progress Page

Contents

Leonardo Cavallari & Matteo Nava - NSRAV Security R&D - Attacks Reference Guide

Introduction

Leonardo Cavallari & Matteo Nava are security specialists of E-VAL Technologies and coordinators of NSRAV, a security research center located at University of Sao Paulo Brazil, with more than 10 years on the information security field. The team is formed by PhDs, MSc, graduate and post-graduate students and security specialists with GIAC/SANS and CISSP certifications.

The team develops research and consulting activities in almost every field of information security, focused on EHT, Web applications, IDS/IPS and detection techniques, grid security, among others.

Our Expectations

We recently started contributing to OWASP and we are developing a Portuguese translated version of Testing guide v2 in order to spread it out to the ones who has potential language barrier.

The maintenance of attacks and vulnerability information is very close to our activities. We believe that we have the specific knowledge and expertise to develop this project.

Executive Summary

We are proposing that we will research about new types of attacks and techniques that aim to Web application/server and report all details about each one. We are intended to explain in details each attack, classify by severity, likelihood of exploitation and impact (when possible), cite references and means of circumvent.

The present OWASP Attacks reference guide lists a great quantity of attacks, but lots of them are lacking explanation and references. For instances, SQL Injection is completely referenced, while Format string has only the topics but no description at all.

Also, we plan to categorize the attacks according to testing guide categories, in order to give a better view of the attacks related to certain test category.

We believe that the Attack reference guide is very important to OWASP since it describes theoretical and practical all the threats a Web application can be susceptible, it gives the reason for OWASP existence.

The vulnerability reference guide is important as well and we will be constantly contributing to maintain it up to date, since it misses lots of information and references on the items. Also, it has almost 600 vulnerabilities and we are quite sure that there are some redundant or even out-of-date items.

Specific activities

As long we will be participating as a group, the activities will be divided as following steps:

  • Identify all existent attacks at OWASP site.
  • Research new attacks and techniques
  • Create test scenarios and exploitation, in order to acquire evidences to be published (when needed)
  • Detail and reference each attacks, with most known and reliable sources.

Long-Term Vision for the Project

We expect that with a worldwide contribution, the Attack and Honeycomb project can become the most complete and updated security reference available. Also, we expect to create cross-reference among OWASP documents, using the same concepts, definitions, and categories in order to inter-link all the documents.


Back to SpoC 007 Selection page