Posts Tagges "OWASP"

Stratum Sponsoring First OWASP Tampa Day

 

Stratum is proud to be sponsoring the first OWASP Tampa Day this Monday, June 20th. The free event will feature presentations aimed at providing developers and Information Security professionals with an introduction to application security. The event features 4 presentations from application security experts and ‘sold-out’ in less than 48 hours with 76 registered attendees. You can visit the event’s Eventbrite page for more information.

Stratum’s own Trevor Hawthorn will be presenting PCI for Developers: Lessons from the Real World,

Any organization that stores, processes, or transmits credit card data must comply with the Payment Card Industry’s (PCI) Data Security Standards (DSS). PCI can be daunting even for compliance and security experts. If you are a developer, it can be a major headache. Sooner or later the day will come when you (or your developers) will need to integrate PCI into your Software Development Lifecycle (SDLC). During this talk Trevor will discuss what is required to meet PCI compliance, and examine how a wide variety of organizations tackle their compliance obligations.

Stratum is also a sponsor of the OWASP Tampa chapter.

Automate Nikto with doNikto

 

Nikto (http://cirt.net/nikto2)  is an Open Source web scanner that checks for several different types of vulnerabilities, including:

  • Over 6400 potentially dangerous files/CGIs
  • Outdated versions of over 1000 servers
  • Version specific problems for over 270 servers

Nikto was developed by a friend of mine, Chris Sullo (@chrissullo) and now is maintained by Sullo and David Lodge. Version 2.1.3 was released in February of this year after getting back from a lengthy tour of european pubs, or so I am told.

I personally still use Nikto on all of my assessments, as it provides a good supplement to other automated scanning tools. To help automate the process of scanning hundreds of web servers, I wrote a simple python script that takes a specially formatted host file (ip address or  hostname,port) and runs Nikto continuously against them. doNikto generates separate HTML output files for each line in the host file (Nikto_IP/Hostname_Port.html) in the current directory.

To get doNikto running on your system, simply make sure you have Python installed on your system. Snow Leopard and Ubuntu users, you’re good. Windows users, check out http://python.org. I recommend installing the latest release of Python 2 (currently 2.6.6).

Once you have Python installed, and of course Nikto, download doNikto.py here and install it in same directory as nikto.pl. You can invoke doNikto by simply typing;

python doNikto.py

or you can type:

chmod +x doNikto.py

and call it via

./doNikto.py

Once you have doNikto all setup, it is pretty straight forward to use:

Old-Trafford:nikto-2.1.3 jmorehouse$ ./doNikto.py
USAGE:
python donikto.py [Host File]
Host file should be in IP,Port format, with one host per line.
(e.g. 192.168.1.1,80)

So a sample host file would look something like:

192.168.1.1,80
some.webserver.com,443
forgotten.tomcatserver.org,8080

Finally, you can ctrl-break (ctrl+c) doNikto to skip hung servers and proceed to the next server in the host file.

That’s all there is. Pretty straightforward and something I find useful on a regular basis. Let me know if you have any issues or suggestions and enjoy!

Trevor Hawthorn speaking at OWASP Tampa March 24, 2010

 

I will be giving my Shmoocon talk The New World of Smartphone Security at OWASP Tamapa on March 24th, 2010. If you would like to attend please RSVP to the chapter leader Justin Moorehouse.

More information can be found on the OWASP Tamapa page.