Bugtraq mailing list archives
Re: [WEB SECURITY] [TOOL] moth - vulnerable web application vmware
From: romain <r () fuckthespam com>
Date: Thu, 07 May 2009 20:41:14 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Andres, That seems to be really cool stuff! We need more of these test suites for both SCAs/WebApps Scanners (every body uses WebGoat, even vendors, so it's not fun and doesn't mean anything anymore). Hope many will contribute to this project! I haven't had a change to look at what apps compose this test suites, but is Wivet part of it? Such crawler targeting test suite is also important for web apps scanners... - --Romain http://rgaucher.info Andres Riancho wrote:
List, Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for: - Testing Web Application Security Scanners - Testing Static Code Analysis tools (SCA) - Giving an introductory course to Web Application Security The motivation for creating this tool came after reading "anantasec-report.pdf" which is included in the release file which you are free to download. The main objective of this tool is to give the community a ready to use testbed for web application security tools. For almost every web application vulnerability in existance, there is a test script available in moth. Other tools like this are available but they lack one very important feature: a list of vulnerabilities included in the Web Applications! In our case, we used the results gathered in the anantasec report to solve this issue without any extra work. There are three different ways to access the web applications and vulnerable scripts: - Directly - Through mod_security - Through PHP-IDS (only if the web application is written in PHP) Both mod_security and PHP-IDS have their default configurations and they show a log of the offending request when one is found. This is very useful for testing web application scanners, and teaching students how web application firewalls work. The beauty is that a user may access the same vulnerable script using the three methods; which helps a lot in the learning process. This is the first contribution of Bonsai Information Security to the w3af project. Many more contributions are on it's way, More information about moth and the download link can be found here: http://www.bonsai-sec.com/research/moth.php Cheers,
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKA6naPqFffxxIpwoRAhf+AKC+bbCSduVxatIiHBvCTVl41513MACgsqrz U3EBZa+ejr36z0gnfLMiV9A= =JZRZ -----END PGP SIGNATURE-----
Current thread:
- [TOOL] moth - vulnerable web application vmware Andres Riancho (May 07)
- Re: [WEB SECURITY] [TOOL] moth - vulnerable web application vmware romain (May 08)