[Full-disclosure] Owasp SiteGenerator v0.70 (public beta release)

[Dinis Cruz]

After much development and hard work here is the first stable (beta) release of the new Owasp SiteGenerator tool (whose Open Source development has been sponsored by Foundstone) Owasp SiteGenerator allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple to detect/exploit, some harder) covering multiple .Net languages and web development architectures (for example, navigation: Html, _javascript_, Flash, Java, etc...). SiteGenerator can be used on the following projects:     - Evaluation of Web Application Security Scanners     - Evaluation of Web Application Firewalls     - Developer Training     - Web Honeypots     - Web Application hacking contests (or evaluations) You can read an introduction to this tool here (http://sourceforge.net/mailarchive/message.php?msg_id=14547158), and download the latest version from here: Website installer: http://www.ddplus.net/projects/FoundStone/21-March-2006/SiteGenerator_IIS_Website_Setup v0.70.msi Gui Installer: http://www.ddplus.net/projects/FoundStone/21-March-2006/Owasp SiteGenerator v0.70.msi Some installation and configuration notes (which you only need to do once): Before you install the website do this (assuming a windows 2003 image) Create a new Application pool, call it SiteGeneratorSystemAppPool), and configure it to run under System Create a new website and point it to a local directory (the website installation files will be copied here) Configure the new website to run Asp.Net 2.0 Create a new Application in that website and set the application pool to SiteGeneratorSystemAppPool Add a IIS wildcard Application Mapping (accessible via Home Directory -> Configuration) to  C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll and untick the 'Verify that file exists' Make sure Default.htm is one of the files included in the default document list (in the 'Documents' tab) Configure the Website's IP Address to be 127.0.0.1, and click on the Advanced button to add a new host header mapping IPAddress: 127.0.0.1 TCP Port: 80 Host Header Value: SiteGenerator Install the WebSite (selecting as the target the website created in the previous step) Install the GUI Add this line to your hosts file (located in C:\window\system32\drivers\etc\hosts) SiteGenerator        127.0.0.1 Click on the SiteGenerator link that was placed on your desktop If all goes well you now can browse to http://SiteGenerator or http://127.0.0.1 (depending if you did the mappings or not) and see the default SiteGenerator's website. If you see a blank page, try http://127.0.0.1/Default.htm (you might be getting a cached version of http://127.0.0.1) Note that the SQL Injection vulnerabilities expect that you have the latest version of HacmeBank (v2.0) installed in your box. I am in the process of creating several videos (covering the installation and GUI) which I am sure will be very useful and practical. Also if you are interested in helping in the development of SiteGenerator or in its vulnerabilities database, then contact me directly. Best regards Dinis Cruz Owasp .Net Project www.owasp.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/