| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 07 May 2009 20:41:14 -0700 From: romain <r@...kthespam.com> To: Andres Riancho <andres.riancho@...il.com> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, webappsec <websecurity@...appsec.org>, "owasp-argentina@...ts.owasp.org" <owasp-argentina@...ts.owasp.org>, Opensource Code review engine <owasp-orizon@...ts.owasp.org>, owasp-appcec-tool-benchmarking-project@...ts.owasp.org, pen-test@...urityfocus.com, bugtraq@...urityfocus.com Subject: Re: [WEB SECURITY] [TOOL] moth - vulnerable web application vmware -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Andres, That seems to be really cool stuff! We need more of these test suites for both SCAs/WebApps Scanners (every body uses WebGoat, even vendors, so it's not fun and doesn't mean anything anymore). Hope many will contribute to this project! I haven't had a change to look at what apps compose this test suites, but is Wivet part of it? Such crawler targeting test suite is also important for web apps scanners... - --Romain http://rgaucher.info Andres Riancho wrote: > List, > > Moth is a VMware image with a set of vulnerable Web Applications and > scripts, that you may use for: > - Testing Web Application Security Scanners > - Testing Static Code Analysis tools (SCA) > - Giving an introductory course to Web Application Security > > The motivation for creating this tool came after reading > "anantasec-report.pdf" which is included in the release file which you > are free to download. The main objective of this tool is to give the > community a ready to use testbed for web application security tools. > For almost every web application vulnerability in existance, there is > a test script available in moth. > > Other tools like this are available but they lack one very important > feature: a list of vulnerabilities included in the Web Applications! > In our case, we used the results gathered in the anantasec report to > solve this issue without any extra work. > > There are three different ways to access the web applications and > vulnerable scripts: > - Directly > - Through mod_security > - Through PHP-IDS (only if the web application is written in PHP) > > Both mod_security and PHP-IDS have their default configurations and > they show a log of the offending request when one is found. This is > very useful for testing web application scanners, and teaching > students how web application firewalls work. The beauty is that a user > may access the same vulnerable script using the three methods; which > helps a lot in the learning process. > > This is the first contribution of Bonsai Information Security to the > w3af project. Many more contributions are on it's way, > > More information about moth and the download link can be found here: > http://www.bonsai-sec.com/research/moth.php > > Cheers, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKA6naPqFffxxIpwoRAhf+AKC+bbCSduVxatIiHBvCTVl41513MACgsqrz U3EBZa+ejr36z0gnfLMiV9A= =JZRZ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists