[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4429E314.1090409@ddplus.net>
Date: Wed Mar 29 04:02:48 2006
From: dinis at ddplus.net (Dinis Cruz)
Subject: Owasp SiteGenerator v0.70 (public beta release)
After much development and hard work here is the first stable (beta)
release of the new Owasp SiteGenerator tool (whose Open Source
development has been sponsored by Foundstone)
Owasp SiteGenerator allows the creating of dynamic websites based on XML
files and predefined vulnerabilities (some simple to detect/exploit,
some harder) covering multiple .Net languages and web development
architectures (for example, navigation: Html, Javascript, Flash, Java,
etc...).
SiteGenerator can be used on the following projects:
- Evaluation of Web Application Security Scanners
- Evaluation of Web Application Firewalls
- Developer Training
- Web Honeypots
- Web Application hacking contests (or evaluations)
You can read an introduction to this tool here
(http://sourceforge.net/mailarchive/message.php?msg_id=14547158), and
download the latest version from here:
* Website installer:
http://www.ddplus.net/projects/FoundStone/21-March-2006/SiteGenerator_IIS_Website_Setup
v0.70.msi
* Gui Installer:
http://www.ddplus.net/projects/FoundStone/21-March-2006/Owasp
SiteGenerator v0.70.msi
Some installation and configuration notes (which you only need to do once):
* Before you install the website do this (assuming a windows 2003 image)
o Create a new Application pool, call it
SiteGeneratorSystemAppPool), and configure it to run under
System
o Create a new website and point it to a local directory (the
website installation files will be copied here)
o Configure the new website to run Asp.Net 2.0
o Create a new Application in that website and set the
application pool to SiteGeneratorSystemAppPool
o Add a IIS wildcard Application Mapping (accessible via Home
Directory -> Configuration) to
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
and untick the 'Verify that file exists'
o Make sure Default.htm is one of the files included in the
default document list (in the 'Documents' tab)
o Configure the Website's IP Address to be 127.0.0.1, and
click on the Advanced button to add a new host header mapping
+ IPAddress: 127.0.0.1
+ TCP Port: 80
+ Host Header Value: SiteGenerator
* Install the WebSite (selecting as the target the website created
in the previous step)
* Install the GUI
* Add this line to your hosts file (located in
C:\window\system32\drivers\etc\hosts)
o SiteGenerator 127.0.0.1
* Click on the SiteGenerator link that was placed on your desktop
If all goes well you now can browse to http://SiteGenerator or
http://127.0.0.1 (depending if you did the mappings or not) and see the
default SiteGenerator's website. If you see a blank page, try
http://127.0.0.1/Default.htm (you might be getting a cached version of
http://127.0.0.1)
Note that the SQL Injection vulnerabilities expect that you have the
latest version of HacmeBank (v2.0) installed in your box.
I am in the process of creating several videos (covering the
installation and GUI) which I am sure will be very useful and practical.
Also if you are interested in helping in the development of
SiteGenerator or in its vulnerabilities database, then contact me directly.
Best regards
Dinis Cruz
Owasp .Net Project
www.owasp.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060329/66828716/attachment.html
Powered by blists - more mailing lists