lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 7 May 2009 22:27:03 -0300
From: Andres Riancho <andres.riancho@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>, 
	webappsec <websecurity@...appsec.org>, 
	"owasp-argentina@...ts.owasp.org" <owasp-argentina@...ts.owasp.org>, 
	Opensource Code review engine <owasp-orizon@...ts.owasp.org>, 
	owasp-appcec-tool-benchmarking-project@...ts.owasp.org, 
	pen-test@...urityfocus.com, bugtraq@...urityfocus.com
Subject: [TOOL] moth - vulnerable web application vmware

List,

Moth is a VMware image with a set of vulnerable Web Applications and
scripts, that you may use for:
    - Testing Web Application Security Scanners
    - Testing Static Code Analysis tools (SCA)
    - Giving an introductory course to Web Application Security

The motivation for creating this tool came after reading
"anantasec-report.pdf" which is included in the release file which you
are free to download. The main objective of this tool is to give the
community a ready to use testbed for web application security tools.
For almost every web application vulnerability in existance, there is
a test script available in moth.

Other tools like this are available but they lack one very important
feature: a list of vulnerabilities included in the Web Applications!
In our case, we used the results gathered in the anantasec report to
solve this issue without any extra work.

There are three different ways to access the web applications and
vulnerable scripts:
    - Directly
    - Through mod_security
    - Through PHP-IDS (only if the web application is written in PHP)

Both mod_security and PHP-IDS have their default configurations and
they show a log of the offending request when one is found. This is
very useful for testing web application scanners, and teaching
students how web application firewalls work. The beauty is that a user
may access the same vulnerable script using the three methods; which
helps a lot in the learning process.

This is the first contribution of Bonsai Information Security to the
w3af project. Many more contributions are on it's way,

More information about moth and the download link can be found here:
    http://www.bonsai-sec.com/research/moth.php

Cheers,
-- 
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ