Very interesting, been a while on here now. Downloading as I speak.. will post a follow-up.
- S > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:full- > [EMAIL PROTECTED] On Behalf Of Gadi Evron > Sent: Monday, September 10, 2007 11:36 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Cc: [email protected]; code- > [EMAIL PROTECTED] > Subject: [Full-disclosure] Vulnerable test application: Simple Web > Server (SWS) > > Every once in a while (last time a few months ago) someone emails one > of > the mailing lists about searching for an example binary, mostly for: > > - Reverse engineering for vulnerabilities, as a study tool. > - Testing fuzzers > > Some of these exist, but I asked my employer, Beyond Security, to > release > our test application, specific for testing fuzzing (built for the > beSTORM > fuzzer). They agreed to release the HTTP version, following their > agreement to release our ANI XML specification. > > The GUI allows you to choose what port your want to run it on, as well > as > which vulnerabilities should be "active". > > It is called Simple Web Server or SWS, and has the following > vulnerabilities: > > 1. Off-By-One in Content-Length (Integer overflow/malloc issue) > 2. Overflow in User-Agent > 3. Overflow in Method > 4. Overflow in URI > 5. Overflow in Host > 6. Overflow in Version > 7. Overflow in complete packet > 8. Off By One in Receive function (linefeed/carriage return issue) > 9. Overflow in Authorization Type > 10. Overflow in Base64 decoded > 11. Overflow in Username of authorization > 12. Overflow in Password of authorization > 13. Overflow in Body > 14. Cross site scripting > > It can be found on Beyond Security's website, here: > http://www.beyondsecurity.com/sws_overview.html > > Thanks, > > Gadi Evron. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
