lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4A03A9DA.6050704@fuckthespam.com>
Date: Thu, 07 May 2009 20:41:14 -0700
From: romain <r@...kthespam.com>
To: Andres Riancho <andres.riancho@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	webappsec <websecurity@...appsec.org>,
	"owasp-argentina@...ts.owasp.org" <owasp-argentina@...ts.owasp.org>,
	Opensource Code review engine <owasp-orizon@...ts.owasp.org>,
	owasp-appcec-tool-benchmarking-project@...ts.owasp.org,
	pen-test@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Re: [WEB SECURITY] [TOOL] moth - vulnerable web application vmware

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Andres,
That seems to be really cool stuff! We need more of these test suites
for both SCAs/WebApps Scanners (every body uses WebGoat, even vendors,
so it's not fun and doesn't mean anything anymore).

Hope many will contribute to this project!

I haven't had a change to look at what apps compose this test suites,
but is Wivet part of it? Such crawler targeting test suite is also
important for web apps scanners...

- --Romain
http://rgaucher.info

Andres Riancho wrote:
> List,
> 
> Moth is a VMware image with a set of vulnerable Web Applications and
> scripts, that you may use for:
>     - Testing Web Application Security Scanners
>     - Testing Static Code Analysis tools (SCA)
>     - Giving an introductory course to Web Application Security
> 
> The motivation for creating this tool came after reading
> "anantasec-report.pdf" which is included in the release file which you
> are free to download. The main objective of this tool is to give the
> community a ready to use testbed for web application security tools.
> For almost every web application vulnerability in existance, there is
> a test script available in moth.
> 
> Other tools like this are available but they lack one very important
> feature: a list of vulnerabilities included in the Web Applications!
> In our case, we used the results gathered in the anantasec report to
> solve this issue without any extra work.
> 
> There are three different ways to access the web applications and
> vulnerable scripts:
>     - Directly
>     - Through mod_security
>     - Through PHP-IDS (only if the web application is written in PHP)
> 
> Both mod_security and PHP-IDS have their default configurations and
> they show a log of the offending request when one is found. This is
> very useful for testing web application scanners, and teaching
> students how web application firewalls work. The beauty is that a user
> may access the same vulnerable script using the three methods; which
> helps a lot in the learning process.
> 
> This is the first contribution of Bonsai Information Security to the
> w3af project. Many more contributions are on it's way,
> 
> More information about moth and the download link can be found here:
>     http://www.bonsai-sec.com/research/moth.php
> 
> Cheers,

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKA6naPqFffxxIpwoRAhf+AKC+bbCSduVxatIiHBvCTVl41513MACgsqrz
U3EBZa+ejr36z0gnfLMiV9A=
=JZRZ
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ