[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Owasp SiteGenerator v0.70 (public beta release)

From: Dinis Cruz <dinis@xxxxxxxxxx>
Subject: [WEB SECURITY] Owasp SiteGenerator v0.70 (public beta release)
Date: Wed, 29 Mar 2006 02:28:54 +0100
--------------080705010707080701090406
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

After much development and hard work here is the first stable (beta)
release of the new Owasp SiteGenerator tool (whose Open Source
development has been sponsored by Foundstone)

Owasp SiteGenerator allows the creating of dynamic websites based on XML
files and predefined vulnerabilities (some simple to detect/exploit,
some harder) covering multiple .Net languages and web development
architectures (for example, navigation: Html, Javascript, Flash, Java,
etc...).

SiteGenerator can be used on the following projects:

    - Evaluation of Web Application Security Scanners
    - Evaluation of Web Application Firewalls
    - Developer Training
    - Web Honeypots
    - Web Application hacking contests (or evaluations)

You can read an introduction to this tool here
(http://sourceforge.net/mailarchive/message.php?msg_id=14547158), and
download the latest version from here:

    * Website installer:
      http://www.ddplus.net/projects/FoundStone/21-March-2006/SiteGenerator_IIS_Website_Setup
      v0.70.msi
    * Gui Installer:
      http://www.ddplus.net/projects/FoundStone/21-March-2006/Owasp
      SiteGenerator v0.70.msi

Some installation and configuration notes (which you only need to do once):

    * Before you install the website do this (assuming a windows 2003 image)
          o Create a new Application pool, call it
            SiteGeneratorSystemAppPool), and configure it to run under
            System
          o Create a new website and point it to a local directory (the
            website installation files will be copied here)
          o Configure the new website to run Asp.Net 2.0
          o Create a new Application in that website and set the
            application pool to SiteGeneratorSystemAppPool
          o Add a IIS wildcard Application Mapping (accessible via Home
            Directory -> Configuration) to 
            C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
            and untick the 'Verify that file exists'
          o Make sure Default.htm is one of the files included in the
            default document list (in the 'Documents' tab)
          o Configure the Website's IP Address to be 127.0.0.1, and
            click on the Advanced button to add a new host header mapping
                + IPAddress: 127.0.0.1
                + TCP Port: 80
                + Host Header Value: SiteGenerator
    * Install the WebSite (selecting as the target the website created
      in the previous step)
    * Install the GUI
    * Add this line to your hosts file (located in
      C:\window\system32\drivers\etc\hosts)
          o SiteGenerator        127.0.0.1
    * Click on the SiteGenerator link that was placed on your desktop

If all goes well you now can browse to http://SiteGenerator or
http://127.0.0.1 (depending if you did the mappings or not) and see the
default SiteGenerator's website. If you see a blank page, try
http://127.0.0.1/Default.htm (you might be getting a cached version of
http://127.0.0.1)

Note that the SQL Injection vulnerabilities expect that you have the
latest version of HacmeBank (v2.0) installed in your box.

I am in the process of creating several videos (covering the
installation and GUI) which I am sure will be very useful and practical.
Also if you are interested in helping in the development of
SiteGenerator or in its vulnerabilities database, then contact me directly.

Best regards

Dinis Cruz
Owasp .Net Project
www.owasp.net
   


--------------080705010707080701090406
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="arial" size="2">After much development and hard work here
is the first stable (beta) release of the new Owasp SiteGenerator tool
(whose </font><font face="arial" size="2">Open Source </font><font
 face="arial" size="2">development has been sponsored by Foundstone)<br>
<br>
Owasp SiteGenerator allows the creating of dynamic websites based on
XML files and predefined vulnerabilities (some simple to
detect/exploit, some harder) covering multiple .Net languages and web
development architectures (for example, navigation: Html, Javascript,
Flash, Java, etc...).<br>
<br>
SiteGenerator can be used on the following projects:<br>
<br>
&nbsp;&nbsp;&nbsp; - Evaluation of Web Application Security Scanners<br>
&nbsp;&nbsp;&nbsp; - Evaluation of Web Application Firewalls<br>
&nbsp;&nbsp;&nbsp; - Developer Training<br>
&nbsp;&nbsp;&nbsp; - Web Honeypots<br>
&nbsp;&nbsp;&nbsp; - Web Application hacking contests (or evaluations)<br>
<br>
You can read an introduction to this tool here
(<a class="moz-txt-link-freetext"
 href="http://sourceforge.net/mailarchive/message.php?msg_id=14547158";>http://sourceforge.net/mailarchive/message.php?msg_id=14547158</a>),
and
download the latest version from here:<br>
</font>
<ul>
  <li><font face="arial" size="2">Website installer: <a
 class="moz-txt-link-freetext"
 href="http://www.ddplus.net/projects/FoundStone/21-March-2006/SiteGenerator_IIS_Website_Setup";>http://www.ddplus.net/projects/FoundStone/21-March-2006/SiteGenerator_IIS_Website_Setup</a>
v0.70.msi<br>
    </font></li>
  <li><font face="arial" size="2">Gui Installer:</font><font
 face="arial" size="2"> <a class="moz-txt-link-freetext"
 href="http://www.ddplus.net/projects/FoundStone/21-March-2006/Owasp";>http://www.ddplus.net/projects/FoundStone/21-March-2006/Owasp</a>
SiteGenerator v0.70.msi</font></li>
</ul>
<font face="Arial" size="2">Some installation and configuration notes
(which you only need to do once):<br>
</font>
<ul>
  <li><font face="Arial" size="2">Before you install the website do
this (assuming a windows 2003 image)<br>
    </font></li>
  <ul>
    <li><font face="Arial" size="2">Create a new Application pool, call
it SiteGeneratorSystemAppPool), and configure it to run under System</font></li>
    <li><font face="Arial" size="2">Create a new website and point it
to a local directory (the website installation files will be copied
here)</font></li>
    <li><font face="Arial" size="2">Configure the new website to run
Asp.Net 2.0</font></li>
    <li><font face="Arial" size="2">Create a new Application in that
website and set the application pool to SiteGeneratorSystemAppPool</font></li>
    <li><font face="Arial" size="2">Add a IIS wildcard Application
Mapping (accessible via Home Directory -&gt; Configuration) to&nbsp;
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll and
untick the 'Verify that file exists'</font></li>
    <li><font face="Arial" size="2">Make sure Default.htm is one of the
files included in the default document list (in the 'Documents' tab)</font></li>
    <li><font face="Arial" size="2">Configure the Website's IP Address
to be 127.0.0.1, and click on the Advanced button to add a new host
header mapping</font></li>
    <ul>
      <li><font face="Arial" size="2">IPAddress: 127.0.0.1<br>
        </font></li>
      <li><font face="Arial" size="2">TCP Port: 80 <br>
        </font></li>
      <li><font face="Arial" size="2">Host Header Value: SiteGenerator<br>
        </font></li>
    </ul>
  </ul>
  <li><font face="Arial" size="2">Install the WebSite (selecting as the
target the website created in the previous step)</font></li>
  <li><font face="Arial" size="2">Install the GUI</font></li>
  <li><font face="Arial" size="2">Add this line to your hosts file
(located in C:\window\system32\drivers\etc\hosts)<br>
    </font></li>
  <ul>
    <li><font face="Arial" size="2">SiteGenerator&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; 127.0.0.1 <br>
      </font></li>
  </ul>
  <li><font face="Arial" size="2">Click on the SiteGenerator link that
was placed on your desktop</font></li>
</ul>
<font face="Arial" size="2">If all goes well you now can browse to
<a class="moz-txt-link-freetext" href="http://SiteGenerator";>http://SiteGenerator</a>
or <a class="moz-txt-link-freetext" href="http://127.0.0.1";>http://127.0.0.1</a>
(depending if you did the
mappings or not) and see the default SiteGenerator's website. If you
see a blank page, try <a class="moz-txt-link-freetext"
 href="http://127.0.0.1/Default.htm";>http://127.0.0.1/Default.htm</a>
(you might be
getting a cached version of <a class="moz-txt-link-freetext"
 href="http://127.0.0.1";>http://127.0.0.1</a>)<br>
<br>
Note that the SQL Injection vulnerabilities expect that you have the
latest version of HacmeBank (v2.0) installed in your box.<br>
<br>
I am in the process of creating several videos (covering the
installation and GUI) which I am sure will be very useful and
practical. </font><font face="Arial" size="2">Also if you are
interested in helping in the
development of SiteGenerator or in its vulnerabilities database, then
contact me directly.<br>
</font><font face="Arial" size="2"><br>
Best regards<br>
<br>
Dinis Cruz<br>
Owasp .Net Project<br>
<a class="moz-txt-link-abbreviated" href="http://www.owasp.net";>www.owasp.net</a><br>
&nbsp;&nbsp;&nbsp; <br>
</font><font face="arial" size="2"><br>
</font>
</body>
</html>

--------------080705010707080701090406--
Prev by Date: Re: [WEB SECURITY] SSL does not = a secure website
Next by Date: Re: [WEB SECURITY] SSL does not = a secure website
Previous by thread: [WEB SECURITY] Panel discusses app security at TheServerSide Java Symposium
Next by thread: [WEB SECURITY] Online Certificate of Authority
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org