[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] [TOOL] moth - vulnerable web application vmware

Hash: SHA1

Hey Andres,
That seems to be really cool stuff! We need more of these test suites
for both SCAs/WebApps Scanners (every body uses WebGoat, even vendors,
so it's not fun and doesn't mean anything anymore).

Hope many will contribute to this project!

I haven't had a change to look at what apps compose this test suites,
but is Wivet part of it? Such crawler targeting test suite is also
important for web apps scanners...

- --Romain

Andres Riancho wrote:
> List,
> Moth is a VMware image with a set of vulnerable Web Applications and
> scripts, that you may use for:
>     - Testing Web Application Security Scanners
>     - Testing Static Code Analysis tools (SCA)
>     - Giving an introductory course to Web Application Security
> The motivation for creating this tool came after reading
> "anantasec-report.pdf" which is included in the release file which you
> are free to download. The main objective of this tool is to give the
> community a ready to use testbed for web application security tools.
> For almost every web application vulnerability in existance, there is
> a test script available in moth.
> Other tools like this are available but they lack one very important
> feature: a list of vulnerabilities included in the Web Applications!
> In our case, we used the results gathered in the anantasec report to
> solve this issue without any extra work.
> There are three different ways to access the web applications and
> vulnerable scripts:
>     - Directly
>     - Through mod_security
>     - Through PHP-IDS (only if the web application is written in PHP)
> Both mod_security and PHP-IDS have their default configurations and
> they show a log of the offending request when one is found. This is
> very useful for testing web application scanners, and teaching
> students how web application firewalls work. The beauty is that a user
> may access the same vulnerable script using the three methods; which
> helps a lot in the learning process.
> This is the first contribution of Bonsai Information Security to the
> w3af project. Many more contributions are on it's way,
> More information about moth and the download link can be found here:
>     http://www.bonsai-sec.com/research/moth.php
> Cheers,

Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org