lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <003e01c7f3b8$be029200$3a07b600$@org>
Date: Mon, 10 Sep 2007 20:11:52 +0530
From: "Strykar" <str@...kerzlair.org>
To: "'Gadi Evron'" <ge@...uxbox.org>, <pen-test@...urityfocus.com>,
	<fuzzing@...testar.linuxbox.org>
Cc: full-disclosure@...ts.grok.org.uk, code-crunchers@...testar.linuxbox.org
Subject: Re: Vulnerable test application: Simple Web
	Server	(SWS)

Very interesting, been a while on here now.
Downloading as I speak.. will post a follow-up.


- S

> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-
> disclosure-bounces@...ts.grok.org.uk] On Behalf Of Gadi Evron
> Sent: Monday, September 10, 2007 11:36 AM
> To: pen-test@...urityfocus.com; fuzzing@...testar.linuxbox.org
> Cc: full-disclosure@...ts.grok.org.uk; code-
> crunchers@...testar.linuxbox.org
> Subject: [Full-disclosure] Vulnerable test application: Simple Web
> Server (SWS)
> 
> Every once in a while (last time a few months ago) someone emails one
> of
> the mailing lists about searching for an example binary, mostly for:
> 
> - Reverse engineering for vulnerabilities, as a study tool.
> - Testing fuzzers
> 
> Some of these exist, but I asked my employer, Beyond Security, to
> release
> our test application, specific for testing fuzzing (built for the
> beSTORM
> fuzzer). They agreed to release the HTTP version, following their
> agreement to release our ANI XML specification.
> 
> The GUI allows you to choose what port your want to run it on, as well
> as
> which vulnerabilities should be "active".
> 
> It is called Simple Web Server or SWS, and has the following
> vulnerabilities:
> 
>     1. Off-By-One in Content-Length (Integer overflow/malloc issue)
>     2. Overflow in User-Agent
>     3. Overflow in Method
>     4. Overflow in URI
>     5. Overflow in Host
>     6. Overflow in Version
>     7. Overflow in complete packet
>     8. Off By One in Receive function (linefeed/carriage return issue)
>     9. Overflow in Authorization Type
>    10. Overflow in Base64 decoded
>    11. Overflow in Username of authorization
>    12. Overflow in Password of authorization
>    13. Overflow in Body
>    14. Cross site scripting
> 
> It can be found on Beyond Security's website, here:
> http://www.beyondsecurity.com/sws_overview.html
> 
> Thanks,
> 
> Gadi Evron.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ