Need a real Java web application with vulnerabilities

[Holger Peine <Holger.Peine () fh-hannover de>]

Hello,

I have a student who wants to perform a mostly manual security review
of some Java web application as his master's thesis work. I am well
aware of pedagogical, deliberately insecure applications like Webgoat
and many others. However, we need a real application for this:

- Real code, since the job should create a realistic experience for
  the student, and the results should not be readily available
  in advance (as with Webgoat etc.)

- Open source, so that source code review is possible, too

- Containing some vulnerabilities (so that the review will not be
  too frustrating)

- Medium-sized, to give a student (who has some beginner knowledge
  of web security) maybe two months of review work (the rest of his
  time will go into understanding web securty review and testing
  techniques and into writing up)

- Written in Java (e.g. not PHP), since this is the only language
  the student is sufficiently proficient in.

I was thinking that an early version of some open source application
such as a CMS might be a good candidate(?)

I'm hoping for your suggestions,
Holger Peine

-- 
Prof. Dr. Holger Peine
FH Hannover, Fakultät IV, Abt. Informatik
Tel: +49(511)9296-1830  Fax: -1810 (shared, please state my name)
Ricklinger Stadtweg 120, D-30459 Hannover, Germany



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------