'Re: [WEB SECURITY] [TOOL] moth - vulnerable web application vmware'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    Re: [WEB SECURITY] [TOOL] moth - vulnerable web application vmware
From:       romain <r () fuckthespam ! com>
Date:       2009-05-08 3:41:14
Message-ID: 4A03A9DA.6050704 () fuckthespam ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Andres,
That seems to be really cool stuff! We need more of these test suites
for both SCAs/WebApps Scanners (every body uses WebGoat, even vendors,
so it's not fun and doesn't mean anything anymore).

Hope many will contribute to this project!

I haven't had a change to look at what apps compose this test suites,
but is Wivet part of it? Such crawler targeting test suite is also
important for web apps scanners...

- --Romain
http://rgaucher.info

Andres Riancho wrote:
> List,
> 
> Moth is a VMware image with a set of vulnerable Web Applications and
> scripts, that you may use for:
>     - Testing Web Application Security Scanners
>     - Testing Static Code Analysis tools (SCA)
>     - Giving an introductory course to Web Application Security
> 
> The motivation for creating this tool came after reading
> "anantasec-report.pdf" which is included in the release file which you
> are free to download. The main objective of this tool is to give the
> community a ready to use testbed for web application security tools.
> For almost every web application vulnerability in existance, there is
> a test script available in moth.
> 
> Other tools like this are available but they lack one very important
> feature: a list of vulnerabilities included in the Web Applications!
> In our case, we used the results gathered in the anantasec report to
> solve this issue without any extra work.
> 
> There are three different ways to access the web applications and
> vulnerable scripts:
>     - Directly
>     - Through mod_security
>     - Through PHP-IDS (only if the web application is written in PHP)
> 
> Both mod_security and PHP-IDS have their default configurations and
> they show a log of the offending request when one is found. This is
> very useful for testing web application scanners, and teaching
> students how web application firewalls work. The beauty is that a user
> may access the same vulnerable script using the three methods; which
> helps a lot in the learning process.
> 
> This is the first contribution of Bonsai Information Security to the
> w3af project. Many more contributions are on it's way,
> 
> More information about moth and the download link can be found here:
>     http://www.bonsai-sec.com/research/moth.php
> 
> Cheers,

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKA6naPqFffxxIpwoRAhf+AKC+bbCSduVxatIiHBvCTVl41513MACgsqrz
U3EBZa+ejr36z0gnfLMiV9A=
=JZRZ
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic