Re: [W3af-develop] moth - A new release from the w3af project
Andres, it interesting idea! It looks like DVL[0] but especially for web security? [0] http://www.damnvulnerablelinux.org/ wget http://dfn.dl.sourceforge.net/sourceforge/w3af/moth-v0.6.7z --2009-05-07 22:41:28-- http://dfn.dl.sourceforge.net/sourceforge/w3af/moth-v0.6.7z ... =) List, Today I'm releasing moth, a new tool which I think you'll enjoy. This release is for this mailing list only, the public release (full disclosure, web app sec mailing list, etc.) is going to be in a couple of days! Moth is a VMware image with a set of vulnerable Web Applications, that you may use for: - Testing Web Application Security Scanners - Testing Static Code Analysis tools (SCA) - Giving an introductory course to Web Application Security The motivation for creating this image came after reading anantasec-report.pdf which is included in this release anantasec/anantasec-report.pdf). The main objective of this vmware image is to be able to test the w3af - Web Application Attack and Audit Framework and compare it with the commercial tools included in the report. Other tools like this are available (securibench to name one) but they lack one very important feature: a list of vulnerabilities that are included in the Web Applications! In our case, we use the results gathered in the anantasec report as our list of Web Application Vulnerabilities included in the release. For most of the web applications there are three different ways to access them: - Directly - Through mod_security - Through PHP-IDS Both mod_security and PHP-IDS have their default configurations and they show a log of the offending request when one is found. This is very useful for testing web application scanners, and teaching students how web application firewalls work. The beauty is that a user may access a vulnerable script directly, then access the same script using mod_security and finally try to trigger the same vulnerability through PHP-IDS. The download link is here: https://sourceforge.net/project/showfiles.php?group_id=170274package_id=321355release_id=680646 Please send the feedback to this mailing list, enjoy! Cheers, -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Taras P. Ivashchenko naplan...@gmail.com pgpvAFMN0EbJz.pgp Description: PGP signature -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] moth - A new release from the w3af project
Taras, On Thu, May 7, 2009 at 3:43 PM, Taras P. Ivashchenko naplan...@gmail.com wrote: Andres, it interesting idea! It looks like DVL[0] but especially for web security? Yep, its basically the same idea. [0] http://www.damnvulnerablelinux.org/ wget http://dfn.dl.sourceforge.net/sourceforge/w3af/moth-v0.6.7z --2009-05-07 22:41:28-- http://dfn.dl.sourceforge.net/sourceforge/w3af/moth-v0.6.7z ... =) List, Today I'm releasing moth, a new tool which I think you'll enjoy. This release is for this mailing list only, the public release (full disclosure, web app sec mailing list, etc.) is going to be in a couple of days! Moth is a VMware image with a set of vulnerable Web Applications, that you may use for: - Testing Web Application Security Scanners - Testing Static Code Analysis tools (SCA) - Giving an introductory course to Web Application Security The motivation for creating this image came after reading anantasec-report.pdf which is included in this release anantasec/anantasec-report.pdf). The main objective of this vmware image is to be able to test the w3af - Web Application Attack and Audit Framework and compare it with the commercial tools included in the report. Other tools like this are available (securibench to name one) but they lack one very important feature: a list of vulnerabilities that are included in the Web Applications! In our case, we use the results gathered in the anantasec report as our list of Web Application Vulnerabilities included in the release. For most of the web applications there are three different ways to access them: - Directly - Through mod_security - Through PHP-IDS Both mod_security and PHP-IDS have their default configurations and they show a log of the offending request when one is found. This is very useful for testing web application scanners, and teaching students how web application firewalls work. The beauty is that a user may access a vulnerable script directly, then access the same script using mod_security and finally try to trigger the same vulnerability through PHP-IDS. The download link is here: https://sourceforge.net/project/showfiles.php?group_id=170274package_id=321355release_id=680646 Please send the feedback to this mailing list, enjoy! Cheers, -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Taras P. Ivashchenko naplan...@gmail.com -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
[W3af-develop] moth - A new release from the w3af project
List, Today I'm releasing moth, a new tool which I think you'll enjoy. This release is for this mailing list only, the public release (full disclosure, web app sec mailing list, etc.) is going to be in a couple of days! Moth is a VMware image with a set of vulnerable Web Applications, that you may use for: - Testing Web Application Security Scanners - Testing Static Code Analysis tools (SCA) - Giving an introductory course to Web Application Security The motivation for creating this image came after reading anantasec-report.pdf which is included in this release anantasec/anantasec-report.pdf). The main objective of this vmware image is to be able to test the w3af - Web Application Attack and Audit Framework and compare it with the commercial tools included in the report. Other tools like this are available (securibench to name one) but they lack one very important feature: a list of vulnerabilities that are included in the Web Applications! In our case, we use the results gathered in the anantasec report as our list of Web Application Vulnerabilities included in the release. For most of the web applications there are three different ways to access them: - Directly - Through mod_security - Through PHP-IDS Both mod_security and PHP-IDS have their default configurations and they show a log of the offending request when one is found. This is very useful for testing web application scanners, and teaching students how web application firewalls work. The beauty is that a user may access a vulnerable script directly, then access the same script using mod_security and finally try to trigger the same vulnerability through PHP-IDS. The download link is here: https://sourceforge.net/project/showfiles.php?group_id=170274package_id=321355release_id=680646 Please send the feedback to this mailing list, enjoy! Cheers, -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
