OPEN SOURCE SHOWCASE
September 22-23, 2011: Open source promotion, demos, and information sharing for your enjoyment
OWASP offered a limited number of FREE booth spaces at AppSec USA 2011 for open source projects to promote, demo, and share information about their project!
Absolutely NO sales or commercial marketing was permitted at the Open Source Showcase. The purpose of the showcase was strictly to share and promote open source projects. Commercial organizations supporting open source projects are free to participate in future Open Source Showcase events so long as they abide by these restrictions. Organizations that wish to conduct sales presentations and commercial marketing will be better suited by purchasing a booth in the vendor showroom at a future event.
Entire OWASP AppSec USA 2011 schedule
Jump to: Demo Descriptions
Open Source Showcase Schedule
Thursday, September 22, 2011
Time | Booth A | Booth B | Booth C | Booth D | Booth E |
---|---|---|---|---|---|
0920-1300 | Global Projects Committee | ModSecurity - Open Source Web Application Firewall Ryan Barnett | Armitage: Fast and Easy Hacking for Metasploit Raphael Mudge | MozSecWorld Michael Coates | w3af demos, Q&A, and code walkthrough Andrés Riancho |
1300-1640 | Global Projects Committee | Vega: Cross-Platform, Open Source Web Application Assessment Platform David Mirza | Armitage: Fast and Easy Hacking for Metasploit Raphael Mudge | OWASP Broken Web Application Project Demo Chuck Willis | OWASP O2 Platform Dinis Cruz |
Friday, September 23, 2011
Time | Booth A | Booth B | Booth C | Booth D | Booth E |
---|---|---|---|---|---|
0920-1300 | Global Projects Committee | ModSecurity - Open Source Web Application Firewall Ryan Barnett | * Empty due to scheduling conflict | Visualizing Tracking on the Web Sid Stamm | OWASP O2 Platform Dinis Cruz |
1300-1640 | Global Projects Committee | Vega: Cross-Platform, Open Source Web Application Assessment Platform David Mirza | * Empty due to scheduling conflict | Visualizing Tracking on the Web Sid Stamm | JavaScript Analysis Platform Praveen Murthy |
The Demos
The following information was current as of OWASP AppSec USA 2011.
Armitage: Fast and Easy Hacking for Metasploit
Web: http://www.fastandeasyhacking.com
Raphael Mudge
Featured on the cover of the May 2011 Linux Journal and used by Cameron to hack Oz's system on Fox's Breaking In, Armitage is a graphical cyber attack management tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced capabilities of the framework. This demonstration will show how to manage remote Metasploit instances and collaborate using Armitage. You'll learn how to share sessions and data, communicate, and carry out advanced post-exploitation as a team through one Metasploit instance.
JavaScript Analysis Platform
Praveen Murthy
The JavaScript Analysis Platform is a platform for analyzing JavaScript by building a detailed semantic model and a control flow graph based on that semantic model. The semantic model, called lambdaJS, was developed by Shriram Krishnamurthi and his students at Brown University. The lambdaJS model captures all of the implicit behavior in JavaScript, and models the language exactly as per the Ecma-262, edition 3 standard. Except for dynamic constructs such as eval. The Brown University work showed that the lambdaJS model, when executed, produces the exact same results on the Mozilla JavaScript test suite (without eval, and any browser-specific extensions) as Rhino (a JavaScript interpreter in Java), V8, and Spidermonkey.
The lambdaJS codebase from Brown is written in Haskell; in our platform, everything is in Java. With our codebase, you can parse JavaScript, build the internal lambdaJS model, and build a detailed control flow graph on the lambdaJS model. The CFG can be used for static analysis or information flow analysis. We believe that this is the first powerful, open-source platform for performing static analysis on JavaScript, and it is based on a mathematically rigorous semantics of the core language.
We hope that the community can benefit from this platform, and will work on pushing its boundaries in scalability, and in developing add-on libraries for modeling the extended environment, and large libraries such as jQuery.
ModSecurity - Open Source Web Application Firewall
Web: https://www.modsecurity.org
Ryan Barnett
"ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. In this case ModSecurity operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems. ModSecurity provides very little protection on its own. In order to become useful, ModSecurity must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, the OWASP ModSecurity Core Rule Set is a free certified rule set for ModSecurity 2.x. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the Core Rules provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity. "
MozSecWorld
Web: http://mozsecworld.org
Michael Coates
MozSecWorld is a reference site to help web developers make their sites more secure. It is a running Django web application demonstrating major security paradigms used within Mozilla web applications and security capabilities of modern browsers. Each security feature comes with a live demo, complete with explanations, diagrams, and code.
Like other Mozilla projects, MozSecWorld is completely open source. Feel free to comment, critique, or contribute.
OWASP Broken Web Applications Project Demo
Web: http://www.owaspbwa.org
Chuck Willis
The Open Web Application Security Project (OWASP) Broken Web Applications project provides a free and open source virtual machine loaded with web applications containing security vulnerabilities. This session will showcase the project and exhibit how it can be used for training, testing, and experimentation by people in a variety of roles.
Demonstrations will cover how the project can be used by penetration testers who discover and exploit web application vulnerabilities, by developers and others who prevent and defend against web application attacks, and by individuals who respond to web application incidents.
OWASP O2 Platform
Web: https://www.owasp.org/index.php/O2
Dinis Cruz
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews.
O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
Vega: Cross-Platform, Open Source Web Application Assessment Platform
Web: http://www.subgraph.com/products.html
David Mirza
Vega is a GUI-based desktop application written in Java that runs on Linux, OS X and Windows. It includes an automated scanner (DAST) as well as an intercepting proxy. The scanner runs modules written in JavaScript that are entirely customizable, and generates XML based alerts - also customizable. The API is rich and fairly well documented. Vega is in beta and was launched on July 1 at FISL12. We have had great, positive feedback, and people are finding the tool useful already (sectoolsaddict compared it against others, we did pretty good).
There are some screenshots here:
http://keystream.subgraph.com/2011/07/01/vega-beta-release/
Visualizing Tracking on the Web
Web: http://collusion.toolness.org
Sid Stamm
Collusion is something our Mozilla mad scientist Atul Varma whipped together to visualize tracking on the web. It helps show how sites track you using third-party cookies so you can see what these third parties know about your browsing habits. This tool shows data flow and can be used to spark ideas about shutting down unwanted privacy invasions.
w3af demos, Q&A and code walkthrough
Web: http://www.w3af.com
Andrés Riancho
w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
The project's long term objectives are:
- Create the biggest community of Web Application Hackers
- Become the best Web Application Scanner
- Become the best Web Application Exploitation Framework
- Combine static code analysis and black box testing into one framework
- Become the nmap for the Web
Questions?
E-mail [email protected] if you have any questions.