[WEB SECURITY] Owasp SiteGenerator v0.70 (public beta release)

Dinis Cruz dinis at ddplus.net
Tue Mar 28 20:28:54 EST 2006


After much development and hard work here is the first stable (beta)
release of the new Owasp SiteGenerator tool (whose Open Source
development has been sponsored by Foundstone)

Owasp SiteGenerator allows the creating of dynamic websites based on XML
files and predefined vulnerabilities (some simple to detect/exploit,
some harder) covering multiple .Net languages and web development
architectures (for example, navigation: Html, Javascript, Flash, Java,
etc...).

SiteGenerator can be used on the following projects:

    - Evaluation of Web Application Security Scanners
    - Evaluation of Web Application Firewalls
    - Developer Training
    - Web Honeypots
    - Web Application hacking contests (or evaluations)

You can read an introduction to this tool here
(http://sourceforge.net/mailarchive/message.php?msg_id=14547158), and
download the latest version from here:

    * Website installer:
      http://www.ddplus.net/projects/FoundStone/21-March-2006/SiteGenerator_IIS_Website_Setup
      v0.70.msi
    * Gui Installer:
      http://www.ddplus.net/projects/FoundStone/21-March-2006/Owasp
      SiteGenerator v0.70.msi

Some installation and configuration notes (which you only need to do once):

    * Before you install the website do this (assuming a windows 2003 image)
          o Create a new Application pool, call it
            SiteGeneratorSystemAppPool), and configure it to run under
            System
          o Create a new website and point it to a local directory (the
            website installation files will be copied here)
          o Configure the new website to run Asp.Net 2.0
          o Create a new Application in that website and set the
            application pool to SiteGeneratorSystemAppPool
          o Add a IIS wildcard Application Mapping (accessible via Home
            Directory -> Configuration) to 
            C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
            and untick the 'Verify that file exists'
          o Make sure Default.htm is one of the files included in the
            default document list (in the 'Documents' tab)
          o Configure the Website's IP Address to be 127.0.0.1, and
            click on the Advanced button to add a new host header mapping
                + IPAddress: 127.0.0.1
                + TCP Port: 80
                + Host Header Value: SiteGenerator
    * Install the WebSite (selecting as the target the website created
      in the previous step)
    * Install the GUI
    * Add this line to your hosts file (located in
      C:\window\system32\drivers\etc\hosts)
          o SiteGenerator        127.0.0.1
    * Click on the SiteGenerator link that was placed on your desktop

If all goes well you now can browse to http://SiteGenerator or
http://127.0.0.1 (depending if you did the mappings or not) and see the
default SiteGenerator's website. If you see a blank page, try
http://127.0.0.1/Default.htm (you might be getting a cached version of
http://127.0.0.1)

Note that the SQL Injection vulnerabilities expect that you have the
latest version of HacmeBank (v2.0) installed in your box.

I am in the process of creating several videos (covering the
installation and GUI) which I am sure will be very useful and practical.
Also if you are interested in helping in the development of
SiteGenerator or in its vulnerabilities database, then contact me directly.

Best regards

Dinis Cruz
Owasp .Net Project
www.owasp.net
   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060329/79f34dff/attachment.html>


More information about the websecurity mailing list