Greetings,
thanks for resources. But why do you think that Webgoat is not a good
web app for testing W3AF? Do you think that it contains too much
vulnerabilities, which need manual investigation?
Thanks,
Vojta
Dne 1.12.2015 v 17:50 Matt Tesauro napsal(a):
> Vojtech,
>
> I'd suggest you look at this project:
> https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
>
> In the "Off-line" tab, there's a list of apps and the technology used
> to create then.
>
> For instance, Bodgeit Store is a Java based vulnerable app:
> https://github.com/psiinon/bodgeit
>
> Best of luck!
>
> --
> -- Matt Tesauro
> OWASP AppSec Pipeline Lead
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
> OWASP WTE Project Lead
> _https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project_
> http://AppSecLive.org - Community and Download site
>
>
> On Tue, Dec 1, 2015 at 7:42 AM, Vojtěch Polášek <krec...@gmail.com
> <mailto:krec...@gmail.com>> wrote:
>
> Hi,
> I would like to run W3AF against a commercial web application
> which uses
> similar technologies as Webgoat. Do you think that applications, which
> you mentioned, will be able to provide some baseline for comparing of
> results?
> I need to find if W3AF can correctly detect vulnerabilities in
> deliberately vulnerable applications before running it against the
> commercial application.
> Vulnerable application should be as close as possible to the
> commercial
> one in terms of used technologies.
> Thank you,
> Vojtěch Polášek
>
>
> Dne 1.12.2015 v 14:19 Andres Riancho napsal(a):
> > webgoat is not usually a good target for testing scanners. I would
> > recommend other applications such as:
> > * http://testphp.acunetix.com/
> > * https://github.com/andresriancho/django-moth
> >
> > On Mon, Nov 30, 2015 at 3:41 PM, Vojtěch Polášek
> <krec...@gmail.com <mailto:krec...@gmail.com>> wrote:
> >> Greetings,
> >> thanks for reply, i will try it out.
> >> To be exact, I am running W3Af against Owasp Webgoat, which
> runs on Tomcat.
> >> Best regards,
> >> Vojta
> >>
> >> Dne 30.11.2015 v 18:54 Andres Riancho napsal(a):
> >>> Vojtěch,
> >>>
> >>> Questions are welcome :)
> >>>
> >>> I assume you wanted to say JavaScript instead of Java, if
> JS is
> >>> heavily used, then yes the web_spider is "almost useless".
> >>>
> >>> Well, the scan of the target URL can't be prevented, but
> if you
> >>> set the URL to http://target.com/ and disable web_spider, then
> w3af
> >>> won't have any parameters to find vulnerabilities in and the
> target is
> >>> "ignored" (most likely, haven't tested it).
> >>>
> >>> Regards,
> >>>
> >>> On Mon, Nov 30, 2015 at 2:48 PM, Vojtěch Polášek
> <krec...@gmail.com <mailto:krec...@gmail.com>> wrote:
> >>>> Greetings,
> >>>> my name is Vojtěch Polášek and I am a blind IT student from
> Czech Republic.
> >>>> As a part of my bachelor thesis, I am researching some tools for
> >>>> security analysis of web applications. One of those tools is
> W3AF, so
> >>>> expect some questions in near time :-)
> >>>> I need to perform analysis of Java application, where
> web_spider is
> >>>> useless. Therefore I use spider_man plugin. My question is;
> would it be
> >>>> possible to prevent initial scan of the URL set as target?
> >>>> Because it does not make much sense, as all needed input is
> facilitated
> >>>> through spider_man.
> >>>> Thank you for your response and best regards,
> >>>> Vojtěch Polášek
> >>>>
> >>>>
>
> ------------------------------------------------------------------------------
> >>>> Go from Idea to Many App Stores Faster with Intel(R) XDK
> >>>> Give your users amazing mobile app experiences with Intel(R) XDK.
> >>>> Use one codebase in this all-in-one HTML5 development
> environment.
> >>>> Design, debug & build mobile apps & 2D/3D high-impact games
> for multiple OSs.
> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> >>>> _______________________________________________
> >>>> W3af-users mailing list
> >>>> W3af-users@lists.sourceforge.net
> <mailto:W3af-users@lists.sourceforge.net>
> >>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
> >>>
> >>
> >>
>
> ------------------------------------------------------------------------------
> >> Go from Idea to Many App Stores Faster with Intel(R) XDK
> >> Give your users amazing mobile app experiences with Intel(R) XDK.
> >> Use one codebase in this all-in-one HTML5 development environment.
> >> Design, debug & build mobile apps & 2D/3D high-impact games for
> multiple OSs.
> >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> >> _______________________________________________
> >> W3af-users mailing list
> >> W3af-users@lists.sourceforge.net
> <mailto:W3af-users@lists.sourceforge.net>
> >> https://lists.sourceforge.net/lists/listinfo/w3af-users
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for
> multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> <mailto:W3af-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users