[WEB SECURITY] Question & Answer guide for web application security testing

Wed Mar 10 11:37:01 EST 2010

Perhaps consider: http://www.owasp.org/index.php/ASVS

Best,

Mike B.

From: Dheeraj Mahadik [mailto:dheerajm at info-spectrum.com]
Sent: Wednesday, March 10, 2010 8:06 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Question & Answer guide for web application security testing

Hello All,

I am preparing  the Question and Answer guide for web application security testing.
Q&A could be of any category (beginner/intermediate/expert)
It would be grateful if someone shares URLs/PDFs etc. with me.

Thanks
-Dheeraj

----- Original Message -----
From: Ivan Buetler<mailto:ivan.buetler at csnc.ch>
To: Giovanni Vigna<mailto:vigna at cs.ucsb.edu> ; websecurity at webappsec.org<mailto:websecurity at webappsec.org>
Sent: Tuesday, March 09, 2010 2:53 PM
Subject: RE: [WEB SECURITY] Need a real Java web application (with constraints)

Hi there,

We do have a complete "vulnerable" training web application in
www.hacking-lab.com<http://www.hacking-lab.com>. It is in pure java without the use of validation
frameworks. The web app is vulnerable for all owasp top 10 issues,
including json hijacking, click jacking, xsrf, sql injection, blind sql
injection, xml external entity attack, wsdl enumeration, session
fixation, cross site scripting, second order injection, xss worm
development, misconfigurations, username enumartion, authorization
bypass, url-redirection attack, cookie weaknesses and attacks, url-based
session attacks.

It could be the target app you are looking for. The app was being
developed over the last 8 years, since the beginning of web app attacks.
To be honest, we charge a fee to the lab - and it is being used by
Universities and Companies alike to train their students or/and
employees.

If this sounds interesting to you, I am pleased to open a test account
for you and your team.

Regards

Ivan

-----Original Message-----
From: Giovanni Vigna [mailto:vigna at cs.ucsb.edu]
Sent: Monday, March 08, 2010 8:34 PM
To: websecurity at webappsec.org<mailto:websecurity at webappsec.org>
Subject: [WEB SECURITY] Need a real Java web application (with
constraints)

Given the recent thread about a web app with vulns, I have a question
for the list:

I am searching for servlet-based web applications that do not use
frameworks, such as Struts.
We are developing a vulnerability analysis tool tailored to web
application logic errors, and we are using symbolic model checking,
which makes it difficult to deal with Struts-like frameworks...

If you have (or know about) an app that matches the constraints above we
would be thrilled to use it as a test app (if you don't want to disclose
the name of your app to the public we will report the bugs anonymously
in our reports and we will give feedback to you so that you can fix
them).

We are the security group at the University of California in Santa
Barbara
http://www.cs.ucsb.edu/~seclab
http://www.cs.ucsb.edu/~vigna

Thank you in advance!

Cheers,

G

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100310/2fa5eec8/attachment.html>