Sunday, February 19, 2012

OWASP Session Management Cheat Sheet (v2.0) & Podcast

On July 2011 the OWASP Session Management CheatSheet was released with the main goal of becoming a useful security reference for web application architects, developers, and security professionals. The document tries to summarize in a concise way all the best practices, recommendations, and countermeasures required to improve the security of today's session management implementations in web applications. The results on our web application penetration tests over the last few years, unfortunately, ratify that session management vulnerabilities are very common and widely prevalent in critical web applications still today.

Jim Manico gave me the opportunity to include this content in the famous OWASP CheatSheet series and talk about this topic. As a result, OWASP Podcast number 90, "Raul Siles", has been released (check the whole OWASP Podcast series). Thanks Jim!

Around October 2011 I slightly updated the official CheatSheet version in the OWASP Wiki, and last week, in sync with the podcast release, I've published a new version (v2.0). This updated downloadable version (in PDF format) includes the updates from October (check the Wiki and document changelog) plus a new feature I plan to expand in future versions of this document: It includes additional session management references to attacks, pen-testing and auditing techniques, tools, and demonstrations complementing the original security countermeasures and defensive recommendations. 
This new version, v2.0, includes the first 10 references/demos, including the OWASP Cookie Database Project, the BIG-­‐IP_cookie_decoder.py and TLSSLed tools, the OddJob session hijacking banking trojan, and more.

I encourage everybody involved in web applications security to review the OWASP Session Management CheatSheet, apply its contents to the currently available web applications and implementations, help spreading the word and contribute to it.

Image src: http://www.gabrielwoo.com/cookie-monster.jpg

Friday, February 10, 2012

Building OWASP ZAP Using Eclipse IDE for Java… Pen-Testers (v2.0)

The OWASP Zed Attack Proxy (ZAP) is the Toolsmith Tool of the Year for 2011. Last Summer, the "Building OWASP ZAP Using Eclipse IDE for Java... Pen-Testers" (version 1.0) was published, and as the beggining of 2012 seems to be the time for second editions of my work ;-) (check the upcoming blog post with v2.0 of the "OWASP Session Management CheatSheet"), a new version of the guide has been released.

This new "Building OWASP ZAP Using Eclipse IDE for Java... Pen-Testers" (version 2.0), available for download from Taddong's Lab, includes significant changes from the first version. It provides an updated development environment not only to get and build the latest ZAP version from the official SVN repository, but to easily commit your changes if you want to contribute to the ZAP project. The proposed environment is more user friendly than in the first version, without requiring any external SVN client. Eclipse and Subclipse provide all the development and SVN capabilities integrated into the same tool. The guide also references the recent OWASP ZAP Extensions project and provides guidance to manage Java (JRE or JDK) updates in Eclipse.

I encourage everyone involved in Web Application Security, from architects to developers, Q&A, auditors, and pen-testers, to take a look at OWASP ZAP, the OWASP ZAP Extensions, and use this new building ZAP guide to enjoy the most current version from SVN and contribute to the project. The official "Building ZAP" Wiki has been updated to link to both versions of this guide.

NOTE: I will be talking about OWASP ZAP and release new smartcard features during my Rooted CON 2012 talk: "Security of Web Applications using the (Spanish) eID" ("Seguridad de aplicaciones web basadas en el DNIe", in Spanish).