Hi, thank you very much for your suggestions. Could you please give me some hint, why Webgoat is not a good solution for measuring of successes/failures of W3AF? Thank you, Vojta
Dne 1.12.2015 v 17:50 Matt Tesauro napsal(a): > Vojtech, > > I'd suggest you look at this project: > https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project > > In the "Off-line" tab, there's a list of apps and the technology used > to create then. > > For instance, Bodgeit Store is a Java based vulnerable app: > https://github.com/psiinon/bodgeit > > Best of luck! > > -- > -- Matt Tesauro > OWASP AppSec Pipeline Lead > https://www.owasp.org/index.php/OWASP_AppSec_Pipeline > OWASP WTE Project Lead > _https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project_ > http://AppSecLive.org - Community and Download site > > > On Tue, Dec 1, 2015 at 7:42 AM, Vojtěch Polášek <krec...@gmail.com > <mailto:krec...@gmail.com>> wrote: > > Hi, > I would like to run W3AF against a commercial web application > which uses > similar technologies as Webgoat. Do you think that applications, which > you mentioned, will be able to provide some baseline for comparing of > results? > I need to find if W3AF can correctly detect vulnerabilities in > deliberately vulnerable applications before running it against the > commercial application. > Vulnerable application should be as close as possible to the > commercial > one in terms of used technologies. > Thank you, > Vojtěch Polášek > > > Dne 1.12.2015 v 14:19 Andres Riancho napsal(a): > > webgoat is not usually a good target for testing scanners. I would > > recommend other applications such as: > > * http://testphp.acunetix.com/ > > * https://github.com/andresriancho/django-moth > > > > On Mon, Nov 30, 2015 at 3:41 PM, Vojtěch Polášek > <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: > >> Greetings, > >> thanks for reply, i will try it out. > >> To be exact, I am running W3Af against Owasp Webgoat, which > runs on Tomcat. > >> Best regards, > >> Vojta > >> > >> Dne 30.11.2015 v 18:54 Andres Riancho napsal(a): > >>> Vojtěch, > >>> > >>> Questions are welcome :) > >>> > >>> I assume you wanted to say JavaScript instead of Java, if > JS is > >>> heavily used, then yes the web_spider is "almost useless". > >>> > >>> Well, the scan of the target URL can't be prevented, but > if you > >>> set the URL to http://target.com/ and disable web_spider, then > w3af > >>> won't have any parameters to find vulnerabilities in and the > target is > >>> "ignored" (most likely, haven't tested it). > >>> > >>> Regards, > >>> > >>> On Mon, Nov 30, 2015 at 2:48 PM, Vojtěch Polášek > <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: > >>>> Greetings, > >>>> my name is Vojtěch Polášek and I am a blind IT student from > Czech Republic. > >>>> As a part of my bachelor thesis, I am researching some tools for > >>>> security analysis of web applications. One of those tools is > W3AF, so > >>>> expect some questions in near time :-) > >>>> I need to perform analysis of Java application, where > web_spider is > >>>> useless. Therefore I use spider_man plugin. My question is; > would it be > >>>> possible to prevent initial scan of the URL set as target? > >>>> Because it does not make much sense, as all needed input is > facilitated > >>>> through spider_man. > >>>> Thank you for your response and best regards, > >>>> Vojtěch Polášek > >>>> > >>>> > > ------------------------------------------------------------------------------ > >>>> Go from Idea to Many App Stores Faster with Intel(R) XDK > >>>> Give your users amazing mobile app experiences with Intel(R) XDK. > >>>> Use one codebase in this all-in-one HTML5 development > environment. > >>>> Design, debug & build mobile apps & 2D/3D high-impact games > for multiple OSs. > >>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > >>>> _______________________________________________ > >>>> W3af-users mailing list > >>>> W3af-users@lists.sourceforge.net > <mailto:W3af-users@lists.sourceforge.net> > >>>> https://lists.sourceforge.net/lists/listinfo/w3af-users > >>> > >> > >> > > ------------------------------------------------------------------------------ > >> Go from Idea to Many App Stores Faster with Intel(R) XDK > >> Give your users amazing mobile app experiences with Intel(R) XDK. > >> Use one codebase in this all-in-one HTML5 development environment. > >> Design, debug & build mobile apps & 2D/3D high-impact games for > multiple OSs. > >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > >> _______________________________________________ > >> W3af-users mailing list > >> W3af-users@lists.sourceforge.net > <mailto:W3af-users@lists.sourceforge.net> > >> https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > > > > > ------------------------------------------------------------------------------ > Go from Idea to Many App Stores Faster with Intel(R) XDK > Give your users amazing mobile app experiences with Intel(R) XDK. > Use one codebase in this all-in-one HTML5 development environment. > Design, debug & build mobile apps & 2D/3D high-impact games for > multiple OSs. > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > _______________________________________________ > W3af-users mailing list > W3af-users@lists.sourceforge.net > <mailto:W3af-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/w3af-users > >
------------------------------------------------------------------------------
_______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
