-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Andres, That seems to be really cool stuff! We need more of these test suites for both SCAs/WebApps Scanners (every body uses WebGoat, even vendors, so it's not fun and doesn't mean anything anymore). Hope many will contribute to this project! I haven't had a change to look at what apps compose this test suites, but is Wivet part of it? Such crawler targeting test suite is also important for web apps scanners... - --Romain http://rgaucher.info Andres Riancho wrote: > List, > > Moth is a VMware image with a set of vulnerable Web Applications and > scripts, that you may use for: > - Testing Web Application Security Scanners > - Testing Static Code Analysis tools (SCA) > - Giving an introductory course to Web Application Security > > The motivation for creating this tool came after reading > "anantasec-report.pdf" which is included in the release file which you > are free to download. The main objective of this tool is to give the > community a ready to use testbed for web application security tools. > For almost every web application vulnerability in existance, there is > a test script available in moth. > > Other tools like this are available but they lack one very important > feature: a list of vulnerabilities included in the Web Applications! > In our case, we used the results gathered in the anantasec report to > solve this issue without any extra work. > > There are three different ways to access the web applications and > vulnerable scripts: > - Directly > - Through mod_security > - Through PHP-IDS (only if the web application is written in PHP) > > Both mod_security and PHP-IDS have their default configurations and > they show a log of the offending request when one is found. This is > very useful for testing web application scanners, and teaching > students how web application firewalls work. The beauty is that a user > may access the same vulnerable script using the three methods; which > helps a lot in the learning process. > > This is the first contribution of Bonsai Information Security to the > w3af project. Many more contributions are on it's way, > > More information about moth and the download link can be found here: > http://www.bonsai-sec.com/research/moth.php > > Cheers, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKA6naPqFffxxIpwoRAhf+AKC+bbCSduVxatIiHBvCTVl41513MACgsqrz U3EBZa+ejr36z0gnfLMiV9A= =JZRZ -----END PGP SIGNATURE-----
