Web Application Vulnerability Scanner Evaluation

[Nytro]

[h=2]Web Application Vulnerability Scanner Evaluation[/h]

A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners.

This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners.

Important Update: auto-installer must be used - load war in tomcat, access URL "/wavsep/wavsep-install/install.jsp", and follow instructions.

[h=3]Previous benchmarks performed using the platform:[/h] 2011 Comparison of 60 commercial & open source scanners

2010 Comparison of 42 open source scanners Additional information can be found in the developer's blog: Security Tools Benchmarking

PDF files with detailed feature comparison are now hosted in the following web site: sectooladdict-benchmarks - A collection of benchmarks from the security tools benchmarking blog - Google Project Hosting

[h=3]Project WAVSEP currently includes the following test cases:[/h] Vulnerabilities:

• Reflected XSS: 66 test cases, implemented in 64 jsp pages (GET & POST)
  
• Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST)
  
• Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST)
  
• Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST)
  
• Passive Information Disclosure/Session Vulnerabilities (inspired/imported from ZAP-WAVE): 3 test cases of erroneous information leakage, and 2 cases of improper authentication / information disclosure - implemented in 5 jsp pages
  
• Experimental Tase Cases (inspired/imported from ZAP-WAVE): 9 additional RXSS test cases (anticsrf tokens, secret input vectors, tag signatures, etc), and 2 additional SQLi test cases (INSERT) - implemented in 11 jsp pages (GET & POST)
  

False Positives:

• 7 different categories of false positive Reflected XSS vulnerabilities (GET & POST )
  
• 10 different categories of false positive SQL Injection vulnerabilities (GET & POST)
  

Additional Features:

• A simple web interface for accessing the vulnerable pages
  
• An auto-installer for the mysql database schema (/wavsep-install/install.jsp)
  
• Sample detection & exploitation payloads for each and every test case
  
• Database connection pool support, ensuring the consistency of scanning results
  

[h=3]Usage[/h] Although some of the test cases are vulnerable to additional exposures, the purpose of each test case is to evaluate the detection accuracy of one type of exposure, and thus, “out of scope” exposures should be ignored when evaluating the accuracy of vulnerability scanners. [h=3]Installation[/h] (@) Use a JRE/JDK that was installed using an offline installation (the online installation caused unknown bugs for some users).

(1) Download & install Apache Tomcat 6.x

(2) Download & install MySQL Community Server 5.5.x (Remember to enable remote root access if not in the same station as wavsep, and to choose a root password that you remember).

(3) Copy the wavsep.war file into the tomcat webapps directory (Usually "C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps" - Windows 32/64 Installer)

(4) Restart the application server

(5) Initiate the install script at: http://localhost:8080/wavsep/wavsep-install/install.jsp

(6) Provide the database host, port and root credentials to the installation script, in additional to customizable wavsep database user credentials.

(7) Access the application at: http://localhost:8080/wavsep/ [h=3]Troubleshooting Installation Issues[/h] [TABLE=width: 100%]

[TR=class: pscontent]

[TD=class: psdescription] As of version v1.1.1, several installation related issues were fixed (encoding / other).

Make sure the JRE/JDK was installed using an offline installer.

Make sure the tomcat server was installed after the offline JRE/JDK installation.

Make sure that the mysql server was installed with remote root connection enabled, and with a firewall rule exception (options in the mysql installer).

If previous versions of wavsep v1.1.0+ were installed, it's best to delete the "db" folder which was created after the previous installation under the tomcat root directory - prior to installing the new version (the installation should work even without this deletion, as long as sql-related pages were not accessed in the current tomcat execution).

If the previous derby database was not deleted prior to the installation for whatever reason, do not access any sql-related existing pages before accessing the schema installation page.

On windows 7, it might be necessary to run the tomcat server as an administrator permissions (rare scenario)

[/TD]

[/TR]

[/TABLE]

Download:

http://code.google.com/p/wavsep/downloads/list

Sursa: wavsep - Web Application Vulnerability Scanner Evaluation Project - Google Project Hosting