[Owasp-leaders] Web Application Vulnerability Examples
psiinon at gmail.com
Sat Jan 8 08:10:53 EST 2011
I've uploaded an initial set of examples here:
I havnt had a chance to integrate all of the examples people have sent
to me, and I know that its a very small start, but it should give an
indication of the direction I'm trying to go in.
All feedback and contributions gratefully received!
On Thu, Dec 23, 2010 at 6:03 PM, Chris Weber <chris at casaba.com> wrote:
> I could open these up. I'm sure together we could build a more robust system for testing scanners. I can picture something that's better at 'grading' scanners but also keeps to delivering test cases individually. All of these were designed specifically to validate Watcher checks were still working between builds, but I do also use them generically to test other tools myself for comparison.
> -----Original Message-----
> From: Stephen de Vries [mailto:stephen at twisteddelight.org]
> Sent: Thursday, December 23, 2010 2:03 AM
> To: Chris Weber
> Cc: Owasp leaders
> Subject: Re: [Owasp-leaders] Web Application Vulnerability Examples
> On Dec 23, 2010, at 10:25 AM, Chris Weber wrote:
>> I created a set of pages for regression testing our Watcher passive
>> scanner. It's kind of embarrassing in it's simplicity
> It's beautiful in it's simplicity :) This is exactly the type of web app that would be very useful for scanners. Any chance of opening it up - or do you accept submission of new test cases?
>> On Dec 22, 2010, at 5:33 AM, "psiinon" <psiinon at gmail.com> wrote:
>>> Hi folks,
>>> As part of the development of the Zed Attack Proxy I need a simple
>>> set of web pages that exhibit standard vulnerabilities.
>>> I know about the example vulnerable apps like Webgoat, DVWA, Gruyere,
>>> Hackme etc.
>>> However these are aimed at people.
>>> I want a set of web pages for regression testing ZAP, so I'd like as
>>> many examples and variants as possible, ideally with just one example
>>> per page.
>>> Do any of you know of such examples?
>>> If not then I'll implement them myself (I've already made a start),
>>> but if anyone else wants to get involved then I'd welcome the
>>> assistance :)
>>> I guess these examples could be useful to other projects.
>>> In theory such pages could be used to test the effectiveness of
>>> vulnerability scanners, although my goal is to develop a regression
>>> test suite for ZAP.
>>> They could also be used as a training aid. (Not sure what a specific
>>> vulnerability looks like in practice? Look here...) So does anyone
>>> think they should be spun of into a new OWASP project, either now or
>>> potentially later?
>>> Many thanks,
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders