Web App Security

Re: Need a real Java web application with vulnerabilities

Tue, 09 Mar 2010 00:58:33 GMT

Posted by Yu Qu on Mar 08

Hi, Peine and others:

I have encountered similar problems too, my suggestion is please try to google the alphabetic strings like this:

"sql injection vulnerability CVE site:web.nvd.nist.gov jsp"

I believe that some positive results can be found. I'm also looking forward to other suggestions, thx!

Best wishes!

------------------------------------

Yu Qu

Ph.D. Candidate Student

Ministry of Education Key Lab for Intelligent...

RE: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities

Mon, 08 Mar 2010 23:34:57 GMT

Posted by Calderon, Juan Carlos (GE, Corporate, consultant) on Mar 08

Yeah, Steve's is just a nice approach, my experience is the same, you
will hardly find a non vulnerable custom application.

Besides you will improve your internal systems security, but fix them
fast or you could suddenly have those vulnerabilities exploited in
production and some grades changed :).

Regards,
JC

-----Original Message-----
From: Steve Pinkham [mailto:steve.pinkham () gmail com]
Sent: Lunes, 08 de Marzo de 2010 12:04 p.m.
To:...

Re: Need a real Java web application with vulnerabilities

Mon, 08 Mar 2010 23:28:41 GMT

Posted by Morgan Reed on Mar 08

Sounds like the right approach, though I'm not aware of any Java based CMS.

I'd suggest your best bet is to go trawling some of the various
vulnerability databases around the place for a suitable candidate.

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus...

Re: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities

Mon, 08 Mar 2010 23:24:32 GMT

Posted by Steve Pinkham on Mar 08

Rogan Dawes wrote:
> Unfortunately, your first requirement seems to suggest against your
> suggestion. :-)
>
> As an open source app, the student would be able to see the change logs,
> and any security announcements for the app, and would be able to make
> use of those to identify known vulnerabilities in that version of the
app.
>
> I suggest you look for a project that may have had a history of
>...

Security BSides Austin - sponsors needed!

Mon, 08 Mar 2010 23:18:10 GMT

Posted by Benjamin Tomhave on Mar 08

Hi folks,

We need your help. We're still looking for sponsors for this weekend's
Security BSides Austin, which is set to occur the same day as the
kickoff for SxSW Interactive (a major developer conference). We have
official sponsorship from Astaro and Panda, plus a couple unofficial
sponsors. We'd love to see your organization involved, too! We're hoping
for a successful inaugural event in Austin, TX, so that next year we can
become officially...

Re: Need a real Java web application with vulnerabilities

Mon, 08 Mar 2010 23:13:24 GMT

Posted by Marc-André Laverdière on Mar 08

You can have a try at Securibench. Some of the apps in there don't run without
some serious armtwisting though, but its good enough for manual review and
static analysis.

Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck....

Re: Need a real Java web application with vulnerabilities

Mon, 08 Mar 2010 23:07:57 GMT

Posted by Federico Maggi on Mar 08

OWASP's WebGoat Project has designed a non-trivial web application in Java, exactly for this purpose.

Ciao,
-- Federico

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Need a real Java web application with vulnerabilities

Mon, 08 Mar 2010 23:04:36 GMT

Posted by Kvetch on Mar 08

Check out Daffodil CRM - http://sourceforge.net/projects/daffodilcrm/
It has SQL injection, XSS and some coding opportunities.

Nick Baronian

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Need a real Java web application with vulnerabilities

Mon, 08 Mar 2010 22:52:04 GMT

Posted by Wagner Elias on Mar 08

OWASP Broken Web App Project contains WebGoat an app vulnerable in Java.
http://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project#tab=Project_Details

Regards

2010/3/8 Holger Peine <Holger.Peine () fh-hannover de>:

Need a real Java web application with vulnerabilities

Mon, 08 Mar 2010 12:40:13 GMT

Posted by Holger Peine on Mar 08

Hello,

I have a student who wants to perform a mostly manual security review
of some Java web application as his master's thesis work. I am well
aware of pedagogical, deliberately insecure applications like Webgoat
and many others. However, we need a real application for this:

- Real code, since the job should create a realistic experience for
the student, and the results should not be readily available
in advance (as with Webgoat etc.)

-...

SamuraiWTF 0.8 released

Sat, 06 Mar 2010 01:09:20 GMT

Posted by Kevin Johnson on Mar 05

Hi all,

I have just finished releasing SamuraiWTF 0.8. It is available at http://samurai.inguardians.com
and is a huge update. It includes metasploit, target applications
and tons of tool updates. It is now DVD sized as it has out grown the
CD release.

Thank you
Kevin Johnson and the SamuraiWTF project team

Senior Security Analyst
InGuardians, Inc.
office: 202.448.8958
cell: 904.403.8024

removing version identifying attribution data

Fri, 05 Mar 2010 01:47:37 GMT

Posted by Robin Wood on Mar 04

With a lot of open source web apps there is usually some kind of file
or comment block in the code that identifies the author and gives
attribution. The problem with most of these is that they end up
leaking information about the version of the app being used.

I'm very keen on keeping attribution in place and wouldn't want to
release software without giving due credit but at the same time I'd
rather not expose my clients to data leakage which I...

Vulnerabilities Animated Clips

Wed, 03 Mar 2010 14:50:33 GMT

Posted by Maty Siman on Mar 03

One of the biggest challenges of the security community is to build true
SDLC (Secure development Life Cycle).
The biggest obstacle is that application developers at large lack the
know-how and motivation to address application risk.
At Checkmarx labs we thought that a new approach to application developers
might help them cross the barrier.
We have developed as a pilot including two short animated clips that should
help developers understand a...

Advanced PHP Hacking

Wed, 03 Mar 2010 14:42:21 GMT

Posted by Laurent OUDOT at TEHTRI-Security on Mar 03

Hi,

I'd like to announce a Security Master's Dojo course during next
CanSecWest 2010 in Vancouver (March 22-26 2010).

Title: Advanced PHP Hacking (!)

PHP is a worldwide web language used by individuals as well as companies
(Facebook...). This session aims at providing a hands-on focused PHP
Hacking experience. After this course, you will really know how
attackers work and move through PHP hax0ring so that they can jump
deeper down to your...

Re: Cookie Secure Attribute - Clarification

Tue, 02 Mar 2010 00:02:50 GMT

Posted by 51l3n73y3s on Mar 01

I would make the attribute as Secure and then also set the requireSSL of the
form to true. In this way the server will discard it if it's over HTTP.

Regards, Sandeep

--------------------------------------------------
From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Sent: Sunday, February 28, 2010 12:23 PM
To: <webappsec () securityfocus com>
Subject: Re: Cookie Secure Attribute - Clarification

This list is...