[Owasp-leaders] Web Application Vulnerability Examples

Chris Weber chris at casaba.com
Thu Dec 23 13:03:53 EST 2010

I could open these up.  I'm sure together we could build a more robust system for testing scanners.  I can picture something that's better at 'grading' scanners but also keeps to delivering test cases individually.  All of these were designed specifically to validate Watcher checks were still working between builds, but I do also use them generically to test other tools myself for comparison.  

-----Original Message-----
From: Stephen de Vries [mailto:stephen at twisteddelight.org] 
Sent: Thursday, December 23, 2010 2:03 AM
To: Chris Weber
Cc: Owasp leaders
Subject: Re: [Owasp-leaders] Web Application Vulnerability Examples

On Dec 23, 2010, at 10:25 AM, Chris Weber wrote:

> I created a set of pages for regression testing our Watcher passive 
> scanner.  It's kind of embarrassing in it's simplicity

It's beautiful in it's simplicity :) This is exactly the type of web app that would be very useful for scanners.  Any chance of opening it up - or do you accept submission of new test cases?


> On Dec 22, 2010, at 5:33 AM, "psiinon" <psiinon at gmail.com> wrote:
>> Hi folks,
>> As part of the development of the Zed Attack Proxy I need a simple 
>> set of web pages that exhibit standard vulnerabilities.
>> I know about the example vulnerable apps like Webgoat, DVWA, Gruyere, 
>> Hackme etc.
>> However these are aimed at people.
>> I want a set of web pages for regression testing ZAP, so I'd like as 
>> many examples and variants as possible, ideally with just one example 
>> per page.
>> Do any of you know of such examples?
>> If not then I'll implement them myself (I've already made a start), 
>> but if anyone else wants to get involved then I'd welcome the 
>> assistance :)
>> I guess these examples could be useful to other projects.
>> In theory such pages could be used to test the effectiveness of 
>> vulnerability scanners, although my goal is to develop a regression 
>> test suite for ZAP.
>> They could also be used as a training aid. (Not sure what a specific 
>> vulnerability looks like in practice? Look here...) So does anyone 
>> think they should be spun of into a new OWASP project, either now or 
>> potentially later?
>> Many thanks,
>> Psiinon
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list