OWASP
AppSec USA
OWASP Logo
2011
Your life is in the cloud.

Minneapolis
Sched/Slides/Video
Venue/Hotel/Travel
Contact Us
FAQ
About Us
Archive
Women in AppSec
September
20-21
Training

September 21
U Challenge
Workgroups
5K/10K
September
22-23
Talks
CTF
Sponsors
OSS Showcase

OPEN SOURCE SHOWCASE

September 22-23, 2011: Open source promotion, demos, and information sharing for your enjoyment

OWASP offered a limited number of FREE booth spaces at AppSec USA 2011 for open source projects to promote, demo, and share information about their project!

Absolutely NO sales or commercial marketing was permitted at the Open Source Showcase. The purpose of the showcase was strictly to share and promote open source projects. Commercial organizations supporting open source projects are free to participate in future Open Source Showcase events so long as they abide by these restrictions. Organizations that wish to conduct sales presentations and commercial marketing will be better suited by purchasing a booth in the vendor showroom at a future event.

 

Entire OWASP AppSec USA 2011 schedule

Jump to: Demo Descriptions

 

Open Source Showcase Schedule

Thursday, September 22, 2011

Time Booth A Booth B Booth C Booth D Booth E
0920-1300 Global Projects Committee ModSecurity - Open Source Web Application Firewall

Ryan Barnett
Armitage: Fast and Easy Hacking for Metasploit

Raphael Mudge
MozSecWorld

Michael Coates
w3af demos, Q&A, and code walkthrough

Andrés Riancho
1300-1640 Global Projects Committee Vega: Cross-Platform, Open Source Web Application Assessment Platform

David Mirza
Armitage: Fast and Easy Hacking for Metasploit

Raphael Mudge
OWASP Broken Web Application Project Demo

Chuck Willis
OWASP O2 Platform

Dinis Cruz

 

Friday, September 23, 2011

Time Booth A Booth B Booth C Booth D Booth E
0920-1300 Global Projects Committee ModSecurity - Open Source Web Application Firewall

Ryan Barnett
* Empty due to scheduling conflict Visualizing Tracking on the Web

Sid Stamm
OWASP O2 Platform

Dinis Cruz
1300-1640 Global Projects Committee Vega: Cross-Platform, Open Source Web Application Assessment Platform

David Mirza
* Empty due to scheduling conflict Visualizing Tracking on the Web

Sid Stamm
JavaScript Analysis Platform

Praveen Murthy

 

The Demos

The following information was current as of OWASP AppSec USA 2011.

Armitage: Fast and Easy Hacking for Metasploit
Web: http://www.fastandeasyhacking.com
Raphael Mudge

Featured on the cover of the May 2011 Linux Journal and used by Cameron to hack Oz's system on Fox's Breaking In, Armitage is a graphical cyber attack management tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced capabilities of the framework. This demonstration will show how to manage remote Metasploit instances and collaborate using Armitage. You'll learn how to share sessions and data, communicate, and carry out advanced post-exploitation as a team through one Metasploit instance.

 

JavaScript Analysis Platform
Praveen Murthy

The JavaScript Analysis Platform is a platform for analyzing JavaScript by building a detailed semantic model and a control flow graph based on that semantic model. The semantic model, called lambdaJS, was developed by Shriram Krishnamurthi and his students at Brown University. The lambdaJS model captures all of the implicit behavior in JavaScript, and models the language exactly as per the Ecma-262, edition 3 standard. Except for dynamic constructs such as eval. The Brown University work showed that the lambdaJS model, when executed, produces the exact same results on the Mozilla JavaScript test suite (without eval, and any browser-specific extensions) as Rhino (a JavaScript interpreter in Java), V8, and Spidermonkey.

The lambdaJS codebase from Brown is written in Haskell; in our platform, everything is in Java. With our codebase, you can parse JavaScript, build the internal lambdaJS model, and build a detailed control flow graph on the lambdaJS model. The CFG can be used for static analysis or information flow analysis. We believe that this is the first powerful, open-source platform for performing static analysis on JavaScript, and it is based on a mathematically rigorous semantics of the core language.

We hope that the community can benefit from this platform, and will work on pushing its boundaries in scalability, and in developing add-on libraries for modeling the extended environment, and large libraries such as jQuery.

 

ModSecurity - Open Source Web Application Firewall
Web: https://www.modsecurity.org
Ryan Barnett

"ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. In this case ModSecurity operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems. ModSecurity provides very little protection on its own. In order to become useful, ModSecurity must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, the OWASP ModSecurity Core Rule Set is a free certified rule set for ModSecurity 2.x. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the Core Rules provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity. "

 

MozSecWorld
Web: http://mozsecworld.org
Michael Coates

MozSecWorld is a reference site to help web developers make their sites more secure. It is a running Django web application demonstrating major security paradigms used within Mozilla web applications and security capabilities of modern browsers. Each security feature comes with a live demo, complete with explanations, diagrams, and code.

Like other Mozilla projects, MozSecWorld is completely open source. Feel free to comment, critique, or contribute.

 

OWASP Broken Web Applications Project Demo
Web: http://www.owaspbwa.org
Chuck Willis

The Open Web Application Security Project (OWASP) Broken Web Applications project provides a free and open source virtual machine loaded with web applications containing security vulnerabilities. This session will showcase the project and exhibit how it can be used for training, testing, and experimentation by people in a variety of roles.

Demonstrations will cover how the project can be used by penetration testers who discover and exploit web application vulnerabilities, by developers and others who prevent and defend against web application attacks, and by individuals who respond to web application incidents.

 

OWASP O2 Platform
Web: https://www.owasp.org/index.php/O2
Dinis Cruz

The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews.

O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.

 

Vega: Cross-Platform, Open Source Web Application Assessment Platform
Web: http://www.subgraph.com/products.html
David Mirza

Vega is a GUI-based desktop application written in Java that runs on Linux, OS X and Windows. It includes an automated scanner (DAST) as well as an intercepting proxy. The scanner runs modules written in JavaScript that are entirely customizable, and generates XML based alerts - also customizable. The API is rich and fairly well documented. Vega is in beta and was launched on July 1 at FISL12. We have had great, positive feedback, and people are finding the tool useful already (sectoolsaddict compared it against others, we did pretty good).

There are some screenshots here:

http://keystream.subgraph.com/2011/07/01/vega-beta-release/

 

Visualizing Tracking on the Web
Web: http://collusion.toolness.org
Sid Stamm

Collusion is something our Mozilla mad scientist Atul Varma whipped together to visualize tracking on the web. It helps show how sites track you using third-party cookies so you can see what these third parties know about your browsing habits. This tool shows data flow and can be used to spark ideas about shutting down unwanted privacy invasions.

 

w3af demos, Q&A and code walkthrough
Web: http://www.w3af.com
Andrés Riancho

w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

The project's long term objectives are:

  • Create the biggest community of Web Application Hackers
  • Become the best Web Application Scanner
  • Become the best Web Application Exploitation Framework
  • Combine static code analysis and black box testing into one framework
  • Become the nmap for the Web

 

Questions?

E-mail [email protected] if you have any questions.

Talks Icon

Talks

Sponsors Icon

Sponsors

Training Icon

Training

Capture the Flag Icon

CTF



Promotional Consideration Provided By

Corporate Donors
Cargill

Platinum
Trustwave   Security Innovation

Gold
IBM   NetSPI   Veracode

Qualys   Fortify, an HP Company

Silver
Cigital   Accuvant   Core Security

Radware   Imperva   WhiteHat Security

Barracuda Networks   Rapid7   Aspect Security

Fishnet Security   Intrepidus Group   NT OBJECTives

Additional Sponsors
F5

Media Partners
TECHdotMN   The 451 Group

(ISC)2   InfoSecurity