OWASP OWTF THE OFFENSIVE (WEB) TESTING
FRAMEWORK + PTES PENETRATION TESTING EXECUTION
STANDARD = KALI POWER AUTO WEB PENTESTS
Mauro Risonho de Paula Assumpção
The Comprehensive Guide to Setting up a Development Environment for Django Project. Visit https://speakerdeck.com/uranusjr/django-dev-environment-howto if you like SpeakerDeck. :)
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeNSConclave
The speaker is going to conduct a hands-on instrumentation workshop on android using Frida. Frida is a popular instrumentation framework that is really helpful in the dynamic analysis of Android apps.
https://nsconclave.net-square.com/dynamic-instrumentation.html
The Comprehensive Guide to Setting up a Development Environment for Django Project. Visit https://speakerdeck.com/uranusjr/django-dev-environment-howto if you like SpeakerDeck. :)
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeNSConclave
The speaker is going to conduct a hands-on instrumentation workshop on android using Frida. Frida is a popular instrumentation framework that is really helpful in the dynamic analysis of Android apps.
https://nsconclave.net-square.com/dynamic-instrumentation.html
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.
During the OPNFV Mini Summit at the 2015 NFV World Congress, Chris Price, the OPNFV TSC chair, gave a talk detailing the community’s vision for the initial release of OPNFV, Arno, and expectations moving forward.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015
Screen Recording: https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI
Automating Security Testing with the OWTFJerod Brennen
When it comes to app security, scanning is good, but pen testing is better. That said, we're lucky if we can schedule (and budget for) a web app pen test once a year. Wouldn't it be swell if we could automate the security testing process so it turned up the same weaknesses in QA an attacker would likely try to exploit in Prod? Well, then. You're in luck. OWASP's Offensive Web Testing Framework (OWTF) was designed to help automate the web app pen testing process. By baking the OWTF into your own QA processes, you can benefit from the same knowledge and tools that the bad guys use to attack web apps. Better yet, you can run these tests as frequently as you like for FREE. This presentation will show you how to use the OWTF, helping you improve both the efficiency and effectiveness of your app security testing process.
How can you avoid servers and get back to coding? Platform-as-a-service (PaaS) makes deployment easy. But which PaaS do you choose and how do you get started? This talk will examine several of the leading PaaS providers and discuss their pros/cons. We'll also give examples for how to deploy the same app to each of them to see the differences.
Frank Brockners, OPNFV TSC member and distinguished engineer with Cisco, presented "Deploy it, test it, run your VNF" during the OPNFV mini-summit as part of the 2015 NFV World Congress.
PyParis2018 - Python tooling for continuous deploymentArthur Lutz
How we migrated the build and deploy processes to a continuous delivery model, and the implications of such a change in terms of technology
but also team changes and the project management with the client. This talk will focus on the Python tooling that enabled to conduct such a
change, but also on the human changes it requires.
* changes in infrastucture, in particular, the use of python softare : docker-compose and saltstack
* tools for collecting errors as soon as possible : sentry (django based) and raven (its python library on the client-side)
* tools for continous integration and review : jenkins with the python tool "jenkins-job-builder", and the python based version control "mercurial"
* tools for metrics and supervision: graphite-api (python rewrite of graphite which ships with django), and saltstack for collecting custom business-oriented metrics from python script
* integrating the projects with cloud infrastructure, using python-nova, python-openstack and salt-cloud (openstack and AWS)
* change management in the team of developpers and the project management with the final users and project managers
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.
During the OPNFV Mini Summit at the 2015 NFV World Congress, Chris Price, the OPNFV TSC chair, gave a talk detailing the community’s vision for the initial release of OPNFV, Arno, and expectations moving forward.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015
Screen Recording: https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI
Automating Security Testing with the OWTFJerod Brennen
When it comes to app security, scanning is good, but pen testing is better. That said, we're lucky if we can schedule (and budget for) a web app pen test once a year. Wouldn't it be swell if we could automate the security testing process so it turned up the same weaknesses in QA an attacker would likely try to exploit in Prod? Well, then. You're in luck. OWASP's Offensive Web Testing Framework (OWTF) was designed to help automate the web app pen testing process. By baking the OWTF into your own QA processes, you can benefit from the same knowledge and tools that the bad guys use to attack web apps. Better yet, you can run these tests as frequently as you like for FREE. This presentation will show you how to use the OWTF, helping you improve both the efficiency and effectiveness of your app security testing process.
How can you avoid servers and get back to coding? Platform-as-a-service (PaaS) makes deployment easy. But which PaaS do you choose and how do you get started? This talk will examine several of the leading PaaS providers and discuss their pros/cons. We'll also give examples for how to deploy the same app to each of them to see the differences.
Frank Brockners, OPNFV TSC member and distinguished engineer with Cisco, presented "Deploy it, test it, run your VNF" during the OPNFV mini-summit as part of the 2015 NFV World Congress.
PyParis2018 - Python tooling for continuous deploymentArthur Lutz
How we migrated the build and deploy processes to a continuous delivery model, and the implications of such a change in terms of technology
but also team changes and the project management with the client. This talk will focus on the Python tooling that enabled to conduct such a
change, but also on the human changes it requires.
* changes in infrastucture, in particular, the use of python softare : docker-compose and saltstack
* tools for collecting errors as soon as possible : sentry (django based) and raven (its python library on the client-side)
* tools for continous integration and review : jenkins with the python tool "jenkins-job-builder", and the python based version control "mercurial"
* tools for metrics and supervision: graphite-api (python rewrite of graphite which ships with django), and saltstack for collecting custom business-oriented metrics from python script
* integrating the projects with cloud infrastructure, using python-nova, python-openstack and salt-cloud (openstack and AWS)
* change management in the team of developpers and the project management with the final users and project managers
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
Introduction to underlying technologies, the rationale of using Python and Qt as a development platform on Maemo and a short demo of a few projects built with these tools. Comparison of different bindings (PyQt vs PySide). PyQt/PySide development environments, how to develop most efficiently, how to debug, how to profile and optimize, platform caveats and gotchas.
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...NETWAYS
I gave a talk titled "Continuous Integration in data centers“ at OSDC in 2013, presenting ways how to realize continuous integration/delivery with Jenkins and related tools.Three years later we gained new tools in our continuous delivery pipeline, including Docker, Gerrit and Goss. Over the years we also had to deal with different problems caused by faster release cycles, a growing team and gaining new projects. We therefore established code review in our pipeline, improved our test infrastructure and invested in our infrastructure automation.In this talk I will discuss the lessons we learned over the last years, demonstrate how a proper continuous delivery pipeline can improve your life and how open source tools like Jenkins, Docker and Gerrit can be leveraged for setting up such an environment.
Similar to 2015 mindthesec mauro risonho de paula assumpcao rev01 firebits (20)
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Peripheral Devices
Aditya K Sood , SecNiche Security
Mauro Risonho de Paula Assumpção
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
1. OWASP OWTF THE OFFENSIVE (WEB) TESTING FRAMEWORK + PTES
PENETRATION TESTING EXECUTION STANDARD = KALI POWER
AUTO WEB PENTESTS
Mauro Risonho de Paula Assumpção
3. AGENDA
●
OWTF Intro
– Instalando OWTF com o Kali (apenas tools web)
●
Executando OWTF
– Parte 1: OWTF Passive + Semi-passive Web analysis
– Parte 2: OWTF Active Web analysis
– Parte 3: OWTF aux plugins – SE, IDs testing
●
Conclusão
●
Q&A
4. WHO I AM?
●
Mauro Risonho de Paula Assumpção aka
firebits
●
Nerd/Autodidata/Entusiasta/Pentester/Analista
em Vulnerabilidades/
Security Researcher/Instrutor/Palestrante e
Eterno Aprendiz de Conhecimentos
●
Analista em Segurança (R&D) pela Agility
Networks, focado no sistema SIS (RE de
Malwares, Deep Web e Pentest)
7. 7
OWTF - Offensive
(Web) Testing Framework
OWTF
Test Separation
Start
Without
permission
Automation
Unite Tools,
Knowledge,
Standards,
(OWASP and PTES)
Test Separation
Start
Without
permission
8. 8
OWTF Chess-like approach
OWTF
Run Tools
theHarvester
● Nikto
● Arachini
● W3af, etc
Run Tests directly
● Header Searches
● HTML Body searches
● Craftled requests, etc
Knowledge
Repository
● PoCs Links
● Resource Links
● OWASP mapping
Help Human analysis
Flag importance
● Tool Output manager
● Screenshot manager
● Notes Manager
● Report Assistant
Pentester
OWTF
9. 9
OWTF - Install
Kali 1.1.0 ou Kali 2 - tests (conforme o caso)
http://cdimage.kali.org/kali-1.1.0/kali-linux-1.1.0-amd64.iso
http://docs.kali.org/network-install/kali-linux-network-mini-iso-install
https://www.owasp.org/index.php/OWASP_OWTF
kali-linux-web = Kali Linux web app assessment tools (group install)
apt-get install kali-linux-web -y
github
git clone git://github.com/owtf/owtf.git
OWTF 1.0.1 Lionheart
wget https://github.com/owtf/owtf/archive/v1.0.1.tar.gz
tar -xvvf https://github.com/owtf/owtf/archive/v1.0.1.tar.gz
19. 19
python owtf.py -l web
Listar plugins OWTF - Web Attacks
OWASP OWTF + PTES = KALI
20. 20
Simulation mode “-s ”:
1) SIMULATES what OWTF will do (so it does not do it!):
2) Is useful to check the effect of a command before running it
#python owtf.py -s https://accounts.google.com | more
Simulation mode
OWASP OWTF + PTES = KALI
25. 25
CONCLUSÃO
OWASP OWTF não é “silver-bullet”, ou
seja “bala-de-prata” e não substitui o
processo manual, inteligente e humano
de pentesters, mas ajuda a automatizar
um pouco as coisas.
26. OBRIGADO!
Mauro Risonho de Paula Assumpção
Email mauro.risonho@gmail.com
Twitter @firebitsbr
Site https://firebitsbr.wordpress.com