OWASP OSG User Stories

Back to SpoC 007 OSG page

Story #1
Bob works for a small security consulting firm and has recently been given the job of teaching a local bank's developers common web security issues. Instead of using an arbitrary website that has vulnerabilities in it he decides to make a copy of the bank's site and adding common vulnerabilities. However, Bob is stretched thin and doesn't want to write all these vulnerabilities by hand. He goes to OWASP because he knows of a project that he thinks will help him (OWASP Site Generator) looking at the project's area he thinks it will fit his needs. Bob installs OSG and sets it up. Once OSG is installed Bob launches htdig and crawls three levels deep of the bank's site and saves it to disk. Launching OSG Bob creates a new site using the desktop application and then interlaces the pages with the vulnerabilities he wishes to showcase in the training.

At the training Bob launches both the server and client applications and using the desktop client points the OSG site to use the custom layout he created. Using the custom template the vulnerabilities sank into the developers at the local bank. Also, because of his great performance Bob got a raise.

Story #2
Boris is a OWASP volunteer and finds out about this cool new web attack. He remembers that OWASP has a tool called OWASP Site Generator(OSG) that has a library of web attacks/vulnerabilities that can be included in web sites and web services. Boris checks to see if this new attack is in the library of possible attacks, it is not. He loads up his copy of Visual C# Express and imports in the IVulnerability interface into VS, so, that he can create this new web attack. After creating the attack and testing it on his local machine. He submits the source and a description to OWASP for approval and addition into the OSG attack library. The attack gets approved and included into the library for other people to use. Boris is also added to the list of people who have contributed to the library with links to what specifically he has added.

Story #3
Boris is an entry-level ASP.NET developer, clueless about web security. But he has a gut-feeling that his web apps are not very secure. So he wants to learn more about security using this new cool tool, OSG. He cannot implement the IVulnerability interface, because he doesn't quite get the whole interfaces idea, and even if he did, he wouldn't know what to put in the implementation. Therefore, he completely relies on the existing vulnerabilities library built by other people and made publicly available by OWASP. Specifically, there are only two types of attacks that he's actually interested in: XSS and SQL injection. So, he opens the OSG client and starts a new project (site). He wants to add two pages to it, one for XSS, and another for SQL injection. But he has no idea how to do it. He then hits “create site” and a default template is used to generate a site with links to the XSS and SQL Injection examples he specified as being available for his site.