[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: Re: [WEB SECURITY] [TOOL] moth - vulnerable web application vmware
From: romain <r () fuckthespam ! com>
Date: 2009-05-08 3:41:14
Message-ID: 4A03A9DA.6050704 () fuckthespam ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Andres,
That seems to be really cool stuff! We need more of these test suites
for both SCAs/WebApps Scanners (every body uses WebGoat, even vendors,
so it's not fun and doesn't mean anything anymore).
Hope many will contribute to this project!
I haven't had a change to look at what apps compose this test suites,
but is Wivet part of it? Such crawler targeting test suite is also
important for web apps scanners...
- --Romain
http://rgaucher.info
Andres Riancho wrote:
> List,
>
> Moth is a VMware image with a set of vulnerable Web Applications and
> scripts, that you may use for:
> - Testing Web Application Security Scanners
> - Testing Static Code Analysis tools (SCA)
> - Giving an introductory course to Web Application Security
>
> The motivation for creating this tool came after reading
> "anantasec-report.pdf" which is included in the release file which you
> are free to download. The main objective of this tool is to give the
> community a ready to use testbed for web application security tools.
> For almost every web application vulnerability in existance, there is
> a test script available in moth.
>
> Other tools like this are available but they lack one very important
> feature: a list of vulnerabilities included in the Web Applications!
> In our case, we used the results gathered in the anantasec report to
> solve this issue without any extra work.
>
> There are three different ways to access the web applications and
> vulnerable scripts:
> - Directly
> - Through mod_security
> - Through PHP-IDS (only if the web application is written in PHP)
>
> Both mod_security and PHP-IDS have their default configurations and
> they show a log of the offending request when one is found. This is
> very useful for testing web application scanners, and teaching
> students how web application firewalls work. The beauty is that a user
> may access the same vulnerable script using the three methods; which
> helps a lot in the learning process.
>
> This is the first contribution of Bonsai Information Security to the
> w3af project. Many more contributions are on it's way,
>
> More information about moth and the download link can be found here:
> http://www.bonsai-sec.com/research/moth.php
>
> Cheers,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKA6naPqFffxxIpwoRAhf+AKC+bbCSduVxatIiHBvCTVl41513MACgsqrz
U3EBZa+ejr36z0gnfLMiV9A=
=JZRZ
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic