[Owasp-leaders] Web Application Vulnerability Examples

psiinon psiinon at gmail.com
Thu Dec 23 05:08:29 EST 2010


I'd be very happy to be part of the regtest / benchmarking project.
And even lead it if no one else more suitable steps forward.
Anyone else want to be involved?
All contributions gratefully received ;)

Any suggestions for the name of such a project?
My suggestion is OWASP WAVE (Web Application Vulnerability Examples) -
although I guess some people might confuse it with the defunct Google
WAVE;)

Psiinon

On Thu, Dec 23, 2010 at 9:58 AM, John Wilander <john.wilander at owasp.org> wrote:
> I think Stephen is right. We need two projects. One for stable
> regression testing (and benchmarking?) of scanning tools. Not sure
> what kind of infrastructure that one needs. Maybe in-memory stuff will
> suffice? Anyway, Psiinon and Chris might be able to merge their suits?
> The other project is the demo/training app. As soon as I have
> something up on GitHub I'll let you guys know and maybe we can start
> adding labs and features together.
>
>   /John
>
> 2010/12/23 Chris Weber <chris at casaba.com>:
>> I created a set of pages for regression testing our Watcher passive scanner.  It's kind of embarrassing in it's simplicity but may serve you ok and has around 40 tests.
>>
>> http://www.nottrusted.com/watcher
>>
>> -Chris Weber
>>
>>
>> On Dec 22, 2010, at 5:33 AM, "psiinon" <psiinon at gmail.com> wrote:
>>
>>> Hi folks,
>>>
>>> As part of the development of the Zed Attack Proxy I need a simple set
>>> of web pages that exhibit standard vulnerabilities.
>>> I know about the example vulnerable apps like Webgoat, DVWA, Gruyere,
>>> Hackme etc.
>>> However these are aimed at people.
>>> I want a set of web pages for regression testing ZAP, so I'd like as
>>> many examples and variants as possible, ideally with just one example
>>> per page.
>>>
>>> Do any of you know of such examples?
>>>
>>> If not then I'll implement them myself (I've already made a start),
>>> but if anyone else wants to get involved then I'd welcome the
>>> assistance :)
>>>
>>> I guess these examples could be useful to other projects.
>>> In theory such pages could be used to test the effectiveness of
>>> vulnerability scanners, although my goal is to develop a regression
>>> test suite for ZAP.
>>> They could also be used as a training aid. (Not sure what a specific
>>> vulnerability looks like in practice? Look here...)
>>> So does anyone think they should be spun of into a new OWASP project,
>>> either now or potentially later?
>>>
>>> Many thanks,
>>>
>>> Psiinon
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> John Wilander, https://twitter.com/johnwilander
> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011
> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list