Wednesday, April 29, 2015

OWASP Community Manager News Flash – April 2015

OWASP Community Manager News Flash – April 2015

Greetings OWASP Community,

I have managed several chapter transitions since joining in November and am often impressed by the thoughtful, professional, and caring attitudes of our leaders. Change can be stressful, particularly where status as a leader is concerned. I commend those who have stepped forward to help when help is needed, and to those who have graciously passed on the reins to new leaders, I offer my most sincere gratitude for your service and mentorship to your chapter participants.

Read on for tips on Chapter donations, social media management and where to go for technical support. If you are a new leader and need guidance to resources on the wiki or any of our communications systems, please let me know.

Best wishes,

Noreen Whysel
Community Manager
OWASP Foundation

Special Update on OWASP Nepal

I have reached out members of the OWASP Nepal Chapter to offer our support in the aftermath of the earthquake there. I have so far heard from Guarab Pant (Thanks also to Riotaro Okada from our Japan chapter). Guarab reports that many Nepalese remain unsheltered and in need of water, food and warm clothing. Over 5,000 are confirmed dead.

One way to help is to join the efforts of OpenStreetMap to map buildings, wells (very important) and open areas (potential helicopter landing sites for bringing in supplies) in Nepal. This platform allows even unexperienced mappers a way to contribute since all edits are reviewed by experts before they are made final. To learn how to participate, visit:

A Reminder: Many unsavory entities crop up at this time to take advantage of our charity and grief. One thing that we as a security community are aware of, but it bears repeating, is that we must be cautious about who we give funds to. You can help Nepal by engaging people in your personal and professional networks to give to known relief agencies, such as the Red Cross and UNICEF.

Hopefully, I will soon hear from other members of our OWASP community in Nepal and report other ways to help.

Latest News

Whats New?
I just returned from a conference in Minneapolis where I led a workshop on Wikipedia editing and was struck by the similarity between the open, collaborative principles of Wikipedia and our own community. Like Wikipedia, our own wiki at offers anyone in our community the ability to contribute and comment on content and policies.

Every page on the OWASP wiki also has a corresponding Discussion page. Even user pages have a User Talk page that you can use to address comments to specific users. I encourage anyone who has a comment about a wiki page, to add your thoughts to the Discussion tab on that page. You can also add your questions to the Discussion tab of my User page here:

Chapter Leader Handbook Update
We are continuing with the Chapter Leader Handbook update. I have made edits to outdated information and corrected links. We have received some comments and discussion on various guidelines but could use your further input. As a collaborative community, everyone’s insight matters. If you have a chance, won’t you please look at the handbook and comment on anything that you feel should be revised or reworded:

Look for comments on the Discussion tab of each page of the handbook.
If you have any questions, please feel free to reach out to me.

IT Support – New Process
Starting in May, Matt Tesauro will be handling all IT requests exclusively via the IT Request system. Anyone can submit an IT ticket at or by sending an email to

Matt is also planning to migrate to a new host server in May or June and plans to work on upgrading to Mailman v3 following the server migration. You may notice temporary issues and disruptions as these migrations take place.

To learn more about what Matt does to support OWASP, visit User:Mtesauro on the Wiki.

Recent Chapter Activity

AppSec Events
The LATAM 2015 Tour finished its run of 10 countries in 13 full days of events an activities. For a recap of events, visit the LATAM event site ( and the LATAM Facebook page (

Up next, AppSecEU is May 19-22, 2015 in Amsterdam, andAppSecUSA will be held in San Francisco from September 22-25th. Call for trainings has opened for AppSecUSA. Be sure to register!

New Chapters/New Leaders
This month was primarily a month of chapter relaunches and leadership changes. We rebooted chapters in Manaus, Brazil, led by Fabio Lapuinka and welcomed a new leader to Charlottesville, Jeffrey Collyer.

We also have a new student chapter at Leeds Beckett University, with Joseph Gwynne-Jones serving as President, Christopher Easton as Vice president, James Johnson as Treasurer and Connor Wilson as Secretary. Dr. Cliffe Schreuders will serve as advisor. Leeds Beckett is also signing on as an Academic Sponsor. We introduced new leadership at University of Washington Bothell with Tyler Laws and Brendan Sweeney taking on the leader roles.

For information or to join these communities, please visit their chapter wiki pages:

Manaus, Brazil:


UW Bothell:

Tip: Managing Social Media

Many chapters use social media as an extension of their communications to reach the widest possible audience. OWASP has provided a set of guidelines for managing social media accounts. These guidelines are beneficial to our entire OWASP community and should be reviewed periodically to ensure that you are communicating effectively and appropriately.

OWASP Social Media Policy:

Posts to social media accounts are subject to the same code of ethics and principles as any of our volunteer activities. This means they must be open, polite and vendor neutral. Are you monitoring your social media activity? Are you aware that any OWASP branded account you create reflects the activity of everyone at the Foundation? Do you need assistance in addressing any improper activity by social media users in your chapter? Please let us know how we can help.

Bonus Tip: Donation Button

Every chapter and project is eligible for funding via donations from external sources. The Chapter page template has a PayPal button where people can make direct donations to benefit your efforts. The template is designed so that the Donate button appears near the top of the page, where it is visible to site visitors. Project pages may also include a Donate button.

If you do not see the Donate button on your chapter page, you may not be using the latest chapter template. If you need assistance, I can help you integrate your current page with the template content so you can begin collecting donations from your chapter page.


Chapter Leader Handbook: 

OWASP Social Media Policy:



Contact Me

Feel free to contact me at any time if you have a question or suggestion. To create a trackable case, please use the contact us form at

Wednesday, April 22, 2015

Fwd: OWASP Foundation April 21 Connector

OWASP Global Connector

April 22, 2015 || | Contact Us | Brought to you by the OWASP Foundation

OWASP in the News

2015 WASPY awards and Global Board Elections

OWASP Translations

New Hacking-Lab Challenges

Support OWASP through Amazon Smile


OWASP KALP Mobile project


OWASP ZAP 2.4.0 is now available

Introduction to using ZAP with Docker

OWASP AppSensor - CISO Briefing

OWASP WASC Web Hacking Incidents Database Project

OWASP Automated threats to Web Applications Project


Global AppSec Events

Local and Regional Events

Partner and Promotional Events


New OWASP Chapters

Chapter Transitions

Chapter Activities

Updates to the Chapter Leader Handbook


Corporate Members

Social Media

OWASP Foundation Social Media


OWASP in the NEWS!

OWASP Projects and activities are often the subject of webcasts and podcasts. Sit back and relax as you watch and listen to these recent episodes.
Simon Bennetts - FLOSS Weekly ZAP interview
North Sweden Chapter leaders, Markus Orebrand and Magnus Hultdin were featured in an Infotech Umea article
Fabio Cerullo - OWASP and 2015 LATAM Tour - Mundo Hacker TV
HP and OWASP Internet of Things Top Ten at RSA conference - A Good Housekeeping Seal for the Connected Home | Security Ledger
Mark Miller - OWASP 24/7 Podcast Series

2015 Global Board elections and WASPY Awards

Be on the lookout for more information on the upcoming Elections and Annual Awards! The election process will begin May 1 with the Global Board call for candidates.
More information will follow via email.

OWASP Translation

Thank you to the local teams for translating OWASP documentation into many different languages.

CISO Guide in Spanish

New Hacking Lab Challenges

The Hacky Easter challenges have returned!
Hacky Easter 2015 is a free, white-hat hacking competition for education and fun. The competition runs until May 31, 2015. CLICK HERE to access the challenges! Good luck to all.

Support OWASP Through Amazon Smile

Did you know that when you access Amazon through the special OWASP Charity link OWASP received a percentage of the purchase?
This is an easy way to help support OWASP. 100% of proceeds collected through Amazon Smile in 2015 will support the Women in AppSec initiative.


OWASP KALP Mobile project

OWASP KALP Mobile Project is for the users around the world who want to view the OWASP Top 10 vulnerabilities, download the Top 10 list on their mobile device, and email it. This is a lightweight information of OWASP Top 10 list, Cheat Sheets as well as Prevention Cheat Sheets created from the OWASP site.
Visit the project page for links to download the application for Android and iOS devices.

OpenSAMM Consortium Launches Industry's First Public Benchmarking Data for Improving Software Security

OpenSAMM is an easy-to-use assessment which provides flexible datasets that can be customized by organization demographics, including sector, development and cultural profile, resulting in pragmatic milestones towards reducing overall security risk.
The expanded access to these datasets makes OpenSAMM available to a larger number of organizations, which previously weren't able to apply valuable benchmarking data to their particular case.
Each of the practical, constructive benchmarks within the framework was derived from best practices of leading application security firms.
Read the entire press release HERE
Open SAMM Project Page

OWASP ZAP 2.4.0 is now available

Complete details of all the changes, visit the ZAP release Blog Post
Some of the highlights are:
  • New "Attack" mode
  • Advanced Fuzzing
  • Access Control Testing
  • UI Changes
  • and much, much, much more!
Please consider attending the very first ZAP Summit which will take place at AppSec EU in Amsterdam on May 20, 2015. Attendees will have the opportunity to learn and extend their knowledge as well as hands on activities. Admission to the summit is free!

Introduction to using ZAP with Docker

Following the latest release of ZAP 2.4.0, Samuli Elomaa has written a brief introduction to using ZAP with Docker
What can you do with ZAP docker images? The main advantages are:
  • Integrating ZAP as part of docker based build/deploy CI-process in order to run non-interactive ZAP active scanning against other docker containers within the same cloud.
  • Quickly deploying ZAP to docker friendly datacenter in order to use ZAP for scanning applications behind firewalls.
  • Having the latest ZAP stable/weekly release inside isolated container in your personal workstation.
Read the full article with step by step instructions for usining ZAP with Docker at the OWASP Blog.

OWASP AppSensor - CISO Briefing

AppSensor is about detecting and responding to attacks within software applications.
In February the project team created a two-page flyer "AppSensor - Introduction for Developers"
And now in April, a new 12-page booklet "AppSensor - CISO Briefing" has also been finalised
The CISO Briefing is also available to buy at cost in hardcopy.
These materials are intended to complement the more extended information on the microsite, project wiki and AppSensor - Guide. AppSensor is also participating in the project summit at AppSec EU in May.

OWASP WASC Web Hacking Incidents Database Project

WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents.
A useful way to use WHID is to help provide data for "Likelihood of Attack" RISK ratings. There is a lot of public "vulnerability" data publicly available, but which ones are actively being used by attackers?
Read more, find Top 10 mappings, and submit an incident by visiting WASC Web Hacking Incidents Database project page

OWASP Automated Threats to Web Applications Project

There is significant knowledge about application vulnerability types, and some general consensus about identification and naming. Issues relating to the misuse of valid functionality, which may be related to design flaws rather than implementation bugs, are less well defined. Yet these problems are seen day-in day-out by web application owners. Excessive abuse of functionality is commonly mistakenly reported as application denial-of-service (DoS) such as HTTP-flooding or application resource exhaustion, when in fact the DoS is a side-effect. Some examples are blog & comment spam, fake account creation, password cracking, web scraping, etc.
These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.
The OWASP Automated Threats to Web Applications Project is in the process of reviewing reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify and name classes of these - threat events to web applications that are undertaken using automated actions.
The aim is to produce an ontology providing a common language for devops, architects, business owners, security engineers, purchasers and suppliers/vendors, to facilitate clear communication and help tackling the issues. The project also intends to identify symptoms, mitigations and controls in this problem area. But for the moment the project would like to receive real-world experience on the prevalence and naming of such threats - especially from those responsible for the ongoing operation of web applications.
One way to help would be to complete the new survey which has been published this week. Help identify real-world automated threats using this Google Form:
For more information, please visit the Project Wiki Page

OWASP Events

Global AppSec Events

EU The Conference Program is Now Available!
Limited Seats are available in the pre conference Trainings

Wednesday, May 20 - One day courses:
Tuesday and Wednesday, May 19-20 - Two day courses:
Thursday and Friday 21st and 22nd May, 2015 are Conference Days including: Keynotes, CISO, DEV, Hack, Ops, and Research talks, HackPra Allstars, Hands on sessions, and more ...
USA 2015 AppSec USA 2015 (September 22 - 25, 2015, San Francisco, CA)
  • Tickets Sales Now Open! CLICK HERE to register!
  • Limited Sponsorships Are Still Available
  • Career Fair Spaces now open! Recruit the best AppSec Talent! Spaces are limited. Please contact Kelly Santalucia for more information or to reserve your spot.

Regional and Local Events

LASCON 2015 (October 19-22, 2015) Austin, TX
AppSec Rio de la Plata 2015 (November 17-20, 2015) Montevideo, Uruguay

Partner and Promotional Events

AppsWorld Germany 2015 (April 22-23, 2015) Berlin, Germany
NCCDC (April 24-26, 2015) San Antonio, TX
AppsWold North America 2015 (May 12-13, 2015) San Francisco, CA. OWASP members recieve 15% off delegate passes. Enter voucher code: I89GS/APPSP15
SANS CyberTalent Fair (May 14-15, 2015) Virtual, online
BSides Knoxville (May 15, 2015) Knoxville, TN
International Conference on Cyber Security (ICCS) (May 16-17, 2015) City of Redlands, CA. OWASP members receive 25% off the general event fee. Discount code ICCSOWASP
Cloud Security World 2015 (May 19-21, 2015) New Orleans, LA..OWASP members receive a 25% discount off standard event fee. Discount code CLD15-OWASP
Hack In the Box (May 26-29, 2015) OWASP members receive 20% off by using discount code OWASP-HITB2015AMS
SC Congress Toronto (June 10 - 12, 2015) Toronto, Canada. Register with your @owasp email address and receive a discount.
Hack in Paris (June 15-19, 2015) La Plaine Saint-Denis, Paris
EuroPython 2015 (July 20-26, 2015) Bilbao, Spain
(ISC)2 Security Congress APAC 2015 (July 28-29, 2015) Manila, Philippines
BlackHat USA (August 1-6, 2015) Las Vegas, NV
BSides Las Vegas (August 4-5, 2015) Las Vegas, NV
Info Security Malaysia Conference (August 6, 2015) Kuala, Lumpur
Security One2One Summit (October 4-6, 2015) Austin, TX
SecTor (October 19-21, 2015) Toronto, CN

oneconsult symantec trustwave
Ads are not endorsements and reflect the messages of the advertiser only. CLICK HERE for more information on advertising.

OWASP Chapters

New Chapters

Leeds Beckett University: New Student Chapter and Academic Supporter - Chapter Leaders - Joseph Gwynne-Jones - President, Christopher Easton - Vice President, James Johnson - Treasurer, Connor Wilson - Secretary, Cliffe Schreuders - Faculty Advisor

Chapter Transitions

Manaus, Brazin - New Chapter Leader - Fabio Lapuinka
Phoenix, AZ USA - New Chapter Leader - Joaquin Fuentes
Charlottesville, VA USA - New Chapter Leader - Jeff Collyer
UW Bothell Student Chapter - New Chapter Leaders - Tyler Laws, Brendan Sweeney

Chapter Activities

OWASP Noida, India hosted a tour beginning April 6 to promote Cyber Safety Campaign Across India. The tour began on 6th April 2015 at the Poddar International School in Nagpur, Maharashtra, India
Check out the event on Facebook!
Check out the Twitter Feed!
Share your chapter's successes! Submit your stories here

Updating the Chapter Leader Handbook

Noreen Whysel, OWASP Community Manager has begun processing your comments and suggested changes to the Chapter Leader Handbook
To add your comments, go to the Chapter Handbook page. On each chapter of the handbook, click the "Discussion" tab at the top left of the page to review the suggested changes. You will need to log in to add your own suggestions. At this time do not make any edits to the Chapter Leader Handbook pages. Only add suggestions to the Discussion page. Please contact Noreen if you need assistance.


New Corporate Members

Renewed Corporate Members

Social Media

OWASP Social Media Sites

Monday, April 20, 2015

Introduction to using ZAP with Docker

By Samuli Elomaa


For those who are not familiar with Docker. Docker is an application container, which works bit similar to "user mode Linux" or LXC containers, allowing users to deploy applications inside containers containing full virtualized OS install while having isolated container which can easily be deployed as needed.

The build process for the docker images is as simple as downloading the ascii-file containing the configuration along with specific OS-commands and running "docker build" -command, or just use the existing images with simple "docker pull" -command in order to download pre-made images from the docker hub.

In order to support zap usage on docker environments, the ZAP project has pre-made images available allowing easy use and deployment of Stable and Weekly versions of ZAP through docker.

What can you do with ZAP docker images?

For me the main advantages are:
  • Integrating ZAP as part of docker based build/deploy CI-process in order to run non-interactive ZAP active scanning against other docker containers within the same cloud.
  • Quickly deploying ZAP to a docker friendly datacenter in order to use ZAP for scanning applications behind firewalls.
  • Having the latest ZAP stable/weekly release inside an isolated container in your personal workstation.

How to get started:

First you need to have the docker tool installed. You can do this by following instructions at the docker website. Or if you are using debian compatible OS, you can just type "apt-get install".

Once you have docker installed you can pull the latest zap docker image from owasp's docker image repository (hosted by docker hub).
docker pull owasp/zap2docker-stable
Or for weekly images:
docker pull owasp/zap2docker-weekly
This will download and install the zap docker images from docker project's image hub. Alternatively you can build your own with the docker files located at build/docker directory of the zap source code archive.

How to access the ZAP running inside the docker

  • ZAP GUI (via VNC)
  • ZAPR for script/CI-friendly automatic active scanning without user interaction.

1. GUI via VNC

The easiest way to access the ZAP GUI is via the embedded vnc-server:
docker run -u zap -p 5900:5900 -p 8080:8080 -i owasp/zap2docker-stable x11vnc --forever --usepw --create
This will first ask you to set VNC server password, once done it will startup the VNC session. Which you can connect with your VNC client (eg. in the example its localhost and tcp port 5900). In order to reach the ZAP proxy from your web browser just set your http proxy point to your docker host's IP (or localhost) and TCP port 8080, when you are done you can just kill the docker image with ctrl+c.

For downloading the report files from the docker image, you can use the data volume mounting option: -v localdir:/home/zap/ , altough this does have problems when using systems like boot2docker. Please see the following site for more detailed information regarding managing data in docker containers:


Zapr is ruby script for ZAP which allows non-interactive active scanning for desired targets, which is nice for things like cronjobs or shell-script jobs. Notice that the summary report from Zapr is printed to the console after running the docker command.
docker run -u zap -i owasp/zap2docker-stable zapr --debug --summary http://target

3. API or headless mode

The best way to integrate ZAP as part of your CI-scripts (if you use Java or Python) is through the API:
docker run -p 8090:8090 -i owasp/zap2docker-stable -daemon -port 8090 -host
When this is run, you can access the ZAP API from localhost/host-ip at tcp port 8090. Eg. or http://dockerip:8090/

See more details regarding the ZAP api usage here:

For the Docker help, the docker project has nice Docker User guide at:

Happy Hacking!

Tuesday, April 14, 2015


ZAP is an OWASP Flagship project, and is currently the most active open source web application security tool.

A major new release of ZAP, 2.4.0 is now available:

For a quick introduction to the new release see this video:

Some of the most significant changes include:

‘Attack’ Mode

A new ‘attack’ mode has been added that means that applications that you have specified are in scope are actively scanned as they are discovered.

Advanced Fuzzing

A completely new fuzzing dialog has been introduced that allows multiple injection points to be attacked at the same time, as well as introducing new attack payloads including the option to use scripts for generating the payloads as well as pre and post attack manipulation and analysis.

Scan Policies

Scan policies define exactly which rules are run as part of an active scan.
They also define how these rules run influencing how many requests are made and how likely potential issues are to be flagged.
The new Scan Policy Manager dialog allows you to create, import and export as many scan policies as you need. You select any scan policy when you start an active scan and also specify the one used by the new attack mode.
Scan policy dialog boxes allow sorting by any column, and include a quality column (indicating if individual scanners are Release, Beta, or Alpha quality).

Scan Dialogs with Advanced Options

New Active Scan and Spider dialogs have replaced the increasing number of right click 'Attack' options. These provide easy access to all of the most common options and optionally a wide range of advanced options.

Hiding Unused Tabs

By default only the essential tabs are now shown when ZAP starts up.
The remaining tabs are revealed when they are used (e.g. for the spider and active scanner) or when you display them via the special tab on the far right of each window with the green '+' icon. This special tab disappears if there are no hidden tabs.
Tabs can be closed via a small 'x' icon which is shown when the tab is selected.
Tabs can also be 'pinned' using a small 'pin' icon that is also shown when the tab is selected - pinned tabs will be shown when ZAP next starts up.

New Add-ons

Two significant new ‘alpha’ quality add-ons are available:
  • Access Control Testing: adds the ability to automate many aspects of access control testing.
  • Sequence Scanning: adds the ability to scan 'sequences' of web pages, in other words pages that must be visited in a strict order in order to work correctly.
These can both be downloaded from the ZAP Marketplace.

New Scan Rules

A number of significant new ‘alpha’ quality scanners are available:
  • Relative Path Confusion: Allows ZAP to scan for issues that may result in XSS, by detecting if the browser can be fooled into interpreting HTML as CSS.
  • Proxy Disclosure: Allows ZAP to detect forward and reverse proxies between the ZAP instance and the origin web server / application server.
  • Storability / Cacheability: Allows ZAP to passively determine whether a page is storable by a shared cache, and whether it can be served from that cache in response to a similar request. This is useful from both a privacy and application performance perspective. The scanner follows RFC 7234.
Support has also been added for Direct Web Remoting as an input vector for all scan rules.

Changed Scan Rules

  • External Redirect: This plugin’s ID has been changed from 30000 to 20019, in order to more closely align with the established groupings. (This change may be of importance to **API Users**). Additionally some minor changes have been implemented to prevent collisions between injected values and in-page content, and improve performance. (Issues: 1529 and 1569)
  • Session ID in URL Rewrite: This plugin has been updated with a minimum length check for the value of the parameters it looks for. A false positive condition was raised related to this plugin (Issue 1396) whereby sID=5 would trigger a finding. Minimum length for session IDs as this plugin interprets them is now eight (8) characters.
  • Client Browser Cache: The active scan rule TestClientBrowserCache has been removed. Checks performed by the passive scan rule CacheControlScanner have been slightly modified. (Issue 1499)

More User Interface Changes

  • The ZAP splash screen is back: It now includes new graphics, a tips & tricks module, and loading/progress info.
  • The active scan dialog show the real plugin’s progress status based on the number of nodes that need to be scanned.
  • There is a new session persistence options dialog that prompts the user for their preferred settings at startup (you can choose to “Remember” the option and not be asked again).
  • For all Alerts the Risk field (False Positive, Suspicious, Warning) has been replaced with a more appropriately defined Confidence field (False Positive, Low, Medium, High, or Confirmed).
  • Timestamps are now optionally available for the output tab.

Extended API Support

The API now supports the spidering and active scanning or multiple targets concurrently, the management of scan policies as well as even more of the ZAP functionality.

Internationalized Help Add-ons

The help files are internationalized via
If you use ZAP in one of the many languages we support, then look on the ZAP Marketplace to see if the help files for that language are available. These will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.

Release Notes

See the Release Notes ( for a full list of all of the changes included in this release.

ZAP Community - first Summit and scripts on GitHub

Although its not directly related to this release, this is too good an opportunity not to mention the very first ZAP Summit, which will take place at AppSec EU in Amsterdam on May 20th 2015 (
Entry is free - come along and help define the future direction of ZAP!
And we have a set of ZAP community scripts on GitHub - pull requests very welcome!

To keep up to date with ZAP related news follow @zaproxy on twitter.