Full Disclosure mailing list archives
Vulnerable test application: Simple Web Server (SWS)
From: Gadi Evron <ge () linuxbox org>
Date: Mon, 10 Sep 2007 01:06:29 -0500 (CDT)
Every once in a while (last time a few months ago) someone emails one of the mailing lists about searching for an example binary, mostly for: - Reverse engineering for vulnerabilities, as a study tool. - Testing fuzzers Some of these exist, but I asked my employer, Beyond Security, to release our test application, specific for testing fuzzing (built for the beSTORM fuzzer). They agreed to release the HTTP version, following their agreement to release our ANI XML specification. The GUI allows you to choose what port your want to run it on, as well as which vulnerabilities should be "active". It is called Simple Web Server or SWS, and has the following vulnerabilities: 1. Off-By-One in Content-Length (Integer overflow/malloc issue) 2. Overflow in User-Agent 3. Overflow in Method 4. Overflow in URI 5. Overflow in Host 6. Overflow in Version 7. Overflow in complete packet 8. Off By One in Receive function (linefeed/carriage return issue) 9. Overflow in Authorization Type 10. Overflow in Base64 decoded 11. Overflow in Username of authorization 12. Overflow in Password of authorization 13. Overflow in Body 14. Cross site scripting It can be found on Beyond Security's website, here: http://www.beyondsecurity.com/sws_overview.html Thanks, Gadi Evron. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerable test application: Simple Web Server (SWS) Gadi Evron (Sep 10)
- Re: Vulnerable test application: Simple Web Server (SWS) Strykar (Sep 10)