[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4A03A9DA.6050704@fuckthespam.com>
Date: Thu, 07 May 2009 20:41:14 -0700
From: romain <r@...kthespam.com>
To: Andres Riancho <andres.riancho@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
webappsec <websecurity@...appsec.org>,
"owasp-argentina@...ts.owasp.org" <owasp-argentina@...ts.owasp.org>,
Opensource Code review engine <owasp-orizon@...ts.owasp.org>,
owasp-appcec-tool-benchmarking-project@...ts.owasp.org,
pen-test@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Re: [WEB SECURITY] [TOOL] moth - vulnerable web application vmware
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Andres,
That seems to be really cool stuff! We need more of these test suites
for both SCAs/WebApps Scanners (every body uses WebGoat, even vendors,
so it's not fun and doesn't mean anything anymore).
Hope many will contribute to this project!
I haven't had a change to look at what apps compose this test suites,
but is Wivet part of it? Such crawler targeting test suite is also
important for web apps scanners...
- --Romain
http://rgaucher.info
Andres Riancho wrote:
> List,
>
> Moth is a VMware image with a set of vulnerable Web Applications and
> scripts, that you may use for:
> - Testing Web Application Security Scanners
> - Testing Static Code Analysis tools (SCA)
> - Giving an introductory course to Web Application Security
>
> The motivation for creating this tool came after reading
> "anantasec-report.pdf" which is included in the release file which you
> are free to download. The main objective of this tool is to give the
> community a ready to use testbed for web application security tools.
> For almost every web application vulnerability in existance, there is
> a test script available in moth.
>
> Other tools like this are available but they lack one very important
> feature: a list of vulnerabilities included in the Web Applications!
> In our case, we used the results gathered in the anantasec report to
> solve this issue without any extra work.
>
> There are three different ways to access the web applications and
> vulnerable scripts:
> - Directly
> - Through mod_security
> - Through PHP-IDS (only if the web application is written in PHP)
>
> Both mod_security and PHP-IDS have their default configurations and
> they show a log of the offending request when one is found. This is
> very useful for testing web application scanners, and teaching
> students how web application firewalls work. The beauty is that a user
> may access the same vulnerable script using the three methods; which
> helps a lot in the learning process.
>
> This is the first contribution of Bonsai Information Security to the
> w3af project. Many more contributions are on it's way,
>
> More information about moth and the download link can be found here:
> http://www.bonsai-sec.com/research/moth.php
>
> Cheers,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKA6naPqFffxxIpwoRAhf+AKC+bbCSduVxatIiHBvCTVl41513MACgsqrz
U3EBZa+ejr36z0gnfLMiV9A=
=JZRZ
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists