Re: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities

[Steve Pinkham <steve.pinkham () gmail com>]

Rogan Dawes wrote:
> Unfortunately, your first requirement seems to suggest against your
> suggestion. :-)
>
> As an open source app, the student would be able to see the change logs,
> and any security announcements for the app, and would be able to make
> use of those to identify known vulnerabilities in that version of the 
app.
>
> I suggest you look for a project that may have had a history of
> vulnerabilities (suggesting that they may still have others), but assign
> the student to review the current version of the app.
>
> Regards,
>
> Rogan

Unfortunately, as Rogan says, there's really no way for you to guarantee 
there are flaws in any webapp without knowing what they are.

Based on prior experience, if you take any of your internal department 
webapps of any complexity and let them work on (a non-production version 
of) those, there will be flaws.  Also, finding less well known open 
source projects that probably haven't been widely deployed and tested 
raises the chances it has problems.  Extra points for projects that 
haven't been maintained in a few years and built with slightly older 
frameworks.

I don't think I've ever turned in a report at the end of an assessment 
that says everything was done correctly, even when dealing with very 
competent teams in frameworks with the latest defenses.  I doubt finding 
flaws in an internal app or decent size but not widely deployed open 
source project unmaintained since early 2000s would be very hard.

Steve
--
 | Steven Pinkham, Security Researcher    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------