Cenzic 232 Patent
Paid Advertising
web application security lab

OWASP Live CD

If you do a lot of application security you may have already heard of the OWASP Live CD. To quote the website, “The OWASP Live CD (LabRat) is a bootable CD akin to knoppix but dedicated to Application Security. It shall serve as a vehicle and distrubition (sic) medium for OWASP tools and guides.” Pretty cool idea, and I’ve used it before, but a few things came to mind as I was re-reading the documentation this morning.

Firstly, I’d like to see something similar to this, but instead of just being an OWASP collection it should be a collection of ALL web application security tools. That would be a lot more useful. Secondly, it should have a browser that is already tweaked and ready to go with all the extensions that we all tend to use while doing penetration tests. I think that would make a big difference, and it’s one of the reasons I tend not to use pre-canned CDs much for my own testing.

But one other thing came to mind as I was reading this that I think is worth talking about. Why haven’t we seen a secure webserver package? For you to install Apache on your machine you have to download it or run it out of ports (hopefully knowing ahead of time which .so objects you want to compile into it), you have to configure it, to be in the right place, right port, SSL/keys, right security, and right rules if you run mod_security, et al. The permissions are hokey, things like TRACE are turned on by default, the webserver signature is turned on, there are tons of default images to help fingerprinting, blah blah. Why isn’t there a distro of Apache that is built with security in mind out of the box?

3 Responses to “OWASP Live CD”

  1. Garrett Says:

    A full pentest environment in a bootable cd is a great idea. There are a few groups that are trying to make this idea happen like backtrack. But they are focused more on network level attacks over web attacks. Also, I think they try to include everything they can get a hold of, and never use or tested them in the first place. I tried to use some tools in there and it simply didnt work.

    I can understand how hard it is to build, as I was the one that created the first bootable cd for security auditing and forensics way back in day (http://sourceforge.net/projects/plac).

    The other problem is that tools get updated fairly often, which the admin would need to track. And then there is the private tools that everyone develops on their own time.

    I am certainly open to helping or even building this platform, but I think input from other pentesters is a must.

  2. ntp Says:

    a secure web server package: http://cr.yp.to/publicfile.html

    as far as the owasp live cd, it leaves a lot to be desired. maybe there will be more as owasp guide 3.0 and the testing guide v3 come into play. have you heard that owasp is trying to score a deal with sygnress to publish testing guide v3?

    it would be neat if other organizations made live cd’s for assessment work, particularly, i’d like to see one from Fortify, Coverity, OunceLabs, Grammartech, et al… which created a bootable “secure development environment” to play with, even if it was all open-source tools or demoware.

    Even better would be if Microsoft or Sun created one centered around .NET or Java development. Have you seen or played with PreSharp yet? Apparently, it’s Microsoft’s new internal tool for Prefast/Prefix C# development. I wouldn’t be surprised if Microsoft bought OunceLabs in the near-term.

    Is it just me, or is [automated] dynamic analysis / fault-injection scanning passed its peak? Once these SCA tools make it into the frameworks and developers get certified on SANS-SSI or similar, we may see a trend against dynamic analysis, especially black box / zero-knowledge testing. I’m actually quite for developer integration of tools, not vulnerability assessors (sometimes called: pen-testers) hording all the good tools for themselves.

  3. Al Gore Says:

    OpenBSD has a secure webserver… If it’s on an insecure OS (read: Windows, OSX, and Ubuntu), it’s not secure, now is it?