[Owasp-leaders] Web Application Vulnerability Examples

Chuck Willis chuck at securityfoundry.com
Thu Dec 23 11:27:42 EST 2010


Hi all,

  This is Chuck Willis, leader of the OWASP Broken Web Applications
project.  I think that this project or projects sound like a great
idea.  My vision for OWASPBWA is for it to be a collection of
vulnerable applications from other OWASP projects and non-OWASP
sources, so there is not a conflict between OWASPBWA and this new
vision.  I would like to include these new items on the OWASPBWA VM
and OWASPBWA would provide a nice "turnkey" solution for people who
want to use the vulnerable applications without having to set up a
database, application server, frameworks, etc.

  I think that some of the applications that are currently on the
OWASPBWA VM could be used for testing scanners and the like, though
not as thoroughly as something built for that purpose.  OWASPBWA
includes realistic applications with intentional vulnerabilities and
old, vulnerable versions of real applications, both of which could be
scanned.  They may not contain every type of issue, but it is a good
starting point if you need something right now.

  What we are still lacking is a good catalog of where all the issues
are in those applications (to identify false positives and false
negatives from scanners), but I'm working to address that.  I've set
up a bug tracker on SourceForge to receive reports of such issues.  I
haven't had any submissions yet from the community, but I'm hoping to
drum up interest in 2011.

Chuck

On Thu, Dec 23, 2010 at 5:08 AM, psiinon <psiinon at gmail.com> wrote:
> I'd be very happy to be part of the regtest / benchmarking project.
> And even lead it if no one else more suitable steps forward.
> Anyone else want to be involved?
> All contributions gratefully received ;)
>
> Any suggestions for the name of such a project?
> My suggestion is OWASP WAVE (Web Application Vulnerability Examples) -
> although I guess some people might confuse it with the defunct Google
> WAVE;)
>
> Psiinon
>
> On Thu, Dec 23, 2010 at 9:58 AM, John Wilander <john.wilander at owasp.org> wrote:
>> I think Stephen is right. We need two projects. One for stable
>> regression testing (and benchmarking?) of scanning tools. Not sure
>> what kind of infrastructure that one needs. Maybe in-memory stuff will
>> suffice? Anyway, Psiinon and Chris might be able to merge their suits?
>> The other project is the demo/training app. As soon as I have
>> something up on GitHub I'll let you guys know and maybe we can start
>> adding labs and features together.
>>
>>   /John
>>
>> 2010/12/23 Chris Weber <chris at casaba.com>:
>>> I created a set of pages for regression testing our Watcher passive scanner.  It's kind of embarrassing in it's simplicity but may serve you ok and has around 40 tests.
>>>
>>> http://www.nottrusted.com/watcher
>>>
>>> -Chris Weber
>>>
>>>
>>> On Dec 22, 2010, at 5:33 AM, "psiinon" <psiinon at gmail.com> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> As part of the development of the Zed Attack Proxy I need a simple set
>>>> of web pages that exhibit standard vulnerabilities.
>>>> I know about the example vulnerable apps like Webgoat, DVWA, Gruyere,
>>>> Hackme etc.
>>>> However these are aimed at people.
>>>> I want a set of web pages for regression testing ZAP, so I'd like as
>>>> many examples and variants as possible, ideally with just one example
>>>> per page.
>>>>
>>>> Do any of you know of such examples?
>>>>
>>>> If not then I'll implement them myself (I've already made a start),
>>>> but if anyone else wants to get involved then I'd welcome the
>>>> assistance :)
>>>>
>>>> I guess these examples could be useful to other projects.
>>>> In theory such pages could be used to test the effectiveness of
>>>> vulnerability scanners, although my goal is to develop a regression
>>>> test suite for ZAP.
>>>> They could also be used as a training aid. (Not sure what a specific
>>>> vulnerability looks like in practice? Look here...)
>>>> So does anyone think they should be spun of into a new OWASP project,
>>>> either now or potentially later?
>>>>
>>>> Many thanks,
>>>>
>>>> Psiinon
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>>
>> --
>> John Wilander, https://twitter.com/johnwilander
>> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
>> Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011
>> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list