WebApp Sec mailing list archives
Re: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities
From: Steve Pinkham <steve.pinkham () gmail com>
Date: Mon, 08 Mar 2010 13:03:41 -0500
Rogan Dawes wrote: > Unfortunately, your first requirement seems to suggest against your > suggestion. :-) > > As an open source app, the student would be able to see the change logs, > and any security announcements for the app, and would be able to make> use of those to identify known vulnerabilities in that version of the app.
> > I suggest you look for a project that may have had a history of > vulnerabilities (suggesting that they may still have others), but assign > the student to review the current version of the app. > > Regards, > > RoganUnfortunately, as Rogan says, there's really no way for you to guarantee there are flaws in any webapp without knowing what they are.
Based on prior experience, if you take any of your internal department webapps of any complexity and let them work on (a non-production version of) those, there will be flaws. Also, finding less well known open source projects that probably haven't been widely deployed and tested raises the chances it has problems. Extra points for projects that haven't been maintained in a few years and built with slightly older frameworks.
I don't think I've ever turned in a report at the end of an assessment that says everything was done correctly, even when dealing with very competent teams in frameworks with the latest defenses. I doubt finding flaws in an internal app or decent size but not widely deployed open source project unmaintained since early 2000s would be very hard.
Steve -- | Steven Pinkham, Security Researcher | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE.Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Current thread:
- Need a real Java web application with vulnerabilities Holger Peine (Mar 08)
- Re: Need a real Java web application with vulnerabilities Wagner Elias (Mar 08)
- Re: Need a real Java web application with vulnerabilities Kvetch (Mar 08)
- Re: Need a real Java web application with vulnerabilities Federico Maggi (Mar 08)
- Re: Need a real Java web application with vulnerabilities Marc-André Laverdière (Mar 08)
- Security BSides Austin - sponsors needed! Benjamin Tomhave (Mar 08)
- Message not available
- Re: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities Steve Pinkham (Mar 08)
- RE: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities Calderon, Juan Carlos (GE, Corporate, consultant) (Mar 08)
- Re: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities Steve Pinkham (Mar 08)
- Re: Need a real Java web application with vulnerabilities Morgan Reed (Mar 08)
- Re: Need a real Java web application with vulnerabilities Yu Qu (Mar 08)