Start demoing application security today!
A live demo always beats a slide-only presentation. With OWASP 1-Liner you can demo what application security is about, both in terms of attacks and countermeasures.
Demos currently supported include XSS (with BeEF), CSRF against RESTful services, clickjacking, double submit anti-CSRF bypass, and multi-step CSRF.
How To Download and Install
Full instructions and source code is available on GitHub.
Don't hesitate to send a pull request via GitHub if you have a patch or have added a new countermeasure or attack.
How To Use OWASP 1-Liner
You typically run demos by opening OWASP 1-Liner in two different browsers and set different users for them. That allows you to chat between the browsers, and of course attempt attacks between them.
OWASP 1-Liner is deployed on your own machine. This is the quickest way to get going:
- Clone https://github.com/johnwilander/owasp-1-liner using Git
- Enter '127.0.0.1 local.1-liner.org' and '127.0.0.1 attackr.se' in your hosts file
- Make sure you have Gradle installed
- Go to the root folder of your cloned OWASP 1-Liner in a shell
- Execute 'gradle jettyRun'
- Surf to https://local.1-liner.org:8444
- Check out OWASP_1-Liner_Demos.txt for demo inspiration (it's in the source root folder)
Get Involved – Help Wanted!
Application security is evolving and OWASP 1-Liner needs constant attention to be fresh and relevant. Your help is most welcome!
Some of the things you can do for this project:
- Debug the demo spec in OWASP_1-Liner_Demos.txt
Does the demo documentation work? What needs to be clarified?
- Debug the app in Internet Explorer 9 and 10
1-Liner has been developed on a Mac and there seems to be problems running it in IE.
- Build a proper login
Right now login is faked via the admin page. But we'll need proper login to be able to demo all the important things around authentication (attacks and countermeasures).
- Build proper session handling
Right not session handling is faked. Both vulnerable and securish session handling is needed.
- Add a DOM-based XSS attack demo
Since 1-Liner is a frontend heavy app it's a perfect victim for DOM-based XSS. Feel free to add such vulnerabilities.
- Integrate OWASP ESAPI
It would be nice to have ESAPI in the securish version of the app.
- Get unit testing back on track
All the unit tests where thrown out under the influence of the Demo Gods. Stuff just broke too easily back when the app was built and deployed with Maven and Spring was used to drive the JUnit test cases. We should get something working with Gradle.
- Build a .Net backend
It should be fairly easy to build a .Net backend now that there's a Java app to use as specification.
- Build jQuery UI and Dojo frontends
The current frontend is built using Ext JS but we probably need jQuery and Dojo as alternatives to maximize the impact.
Contributors in alphabetical order
- Paraskevi "Vicky" Simita
- John Wilander (project leader)