O-Saft


OWASP - SSL advanced forensic tool is an easy to use tool to check various SSL/TLS related configurations, behaviours and vulnerabilities. It’s a standalone tool and can be used in closed and very restricted environments.

Why

Currently the tool is developed and maintained by a very small team. There is just enough time to keep the check up-to-date, accommodating new vulnerabilities, behaviours, etc.

The Working Session will focus on the internal redesign and some improvements the tool needs to bring full power to its users.

What

  • Improve checking of certificates
  • Implement state-of-the-art checking of OCSP
  • Improve checking of DH parameters and EC parameters
  • Write post processors for formatting the output; a lot of code is already there, it needs to be extracted in new tools
  • Implement fuzzing features using TLS-attacker
  • Build a test suite, run automated tests
  • Build a sophisticated knowledge database with search capabilities (probably using Python NLTK)
  • Is there a need for a GTK-based GUI (i.e. using YAD)?

Outcomes

  • Updated and more efficient O-Saft
  • Improved tools
  • New knowledge base

Who

The target audience for this Working Session is:

  • contributors to the tool
  • users in general and users having special requirements

Working materials

There is a docs directory with documentation for developers at github.

Draft for all the topics to be discused and worked on during the session in google docs.

Content

See “Working materials” above.


Create a slack team, feel free to join the O-Saft team with your @owasp.org address (unfortunately slack is toooo stupid to accept @gmail.com addresses).

Related Working Session(s)



Back to list of all Working Sessions and Tracks

Edit this page here