Drew,
An interesting idea your email inspired would be to use OWASP
WebGoat. Its an application specifically written for testing by OWASP.
It can be used as a training environment (find the badness) or to
compare/evaluate the effectiveness of security measures [2], though some
have argued about how appropriate it is for evals [3]. If nothing else,
WebGoat would provide the same attack surface for each new release of
w3af. WebGoat could be used like Wivet [4] was recently used to
evaluate the crawler functionality of w3af.
As for a VM image, I've created a VMware image of the OWASP Live CD
that is currently a beta release and has WebGoat installed. Its beta
because its new - I use that image at work to do any testing I conduct.
A rar of the VMware instance is available for download [5] if you are
interested. If you have any problems, send them my way or (preferred)
to the OWASP Live CD mail list. [6]
[1] http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
[2]
https://www.owasp.org/index.php/OWASP_Securing_WebGoat_using_ModSecurity_Project
[3] http://archives.neohapsis.com/archives/sf/www-mobile/2006-q2/0321.html
[4] http://code.google.com/p/wivet/wiki/W3afVsWivet
and
http://sourceforge.net/mailarchive/forum.php?thread_name=cdfaf8b20812301659t7ce285b4m23ba4ef29b967a5b%40mail.gmail.com&forum_name=w3af-users
[5] http://mtesauro.com/livecd/index.php?title=Main_Page#VMware_Images
[6] https://lists.owasp.org/mailman/listinfo/owasp-live-cd-2008-project
-- Matt Tesauro
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project
http://mtesauro.com/livecd/ - Documentation Wiki
mouse wrote:
> What are folks using to benchmark or test updated versions of w3af?
> Does anyone have a set of vmimages with vulnerable web apps or a list of
> vulnerable apps that are used in this effort? Or do folks generally use
> custom apps?
>
> Thanks,
> Drew
>
>
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It is the best place to buy or sell services for
> just about anything Open Source.
> http://p.sf.net/sfu/Xq1LFB
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
