lvanlaw / owaspbwa Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/owaspbwa
Automatically exported from code.google.com/p/owaspbwa
What steps will reproduce the problem?
1. open phpBB
2. log in
What is the expected output? What do you see instead?
Expected to be logged in, but instead redirected to login page.
What version of the product are you using? On what operating system?
0.92rc2
Please provide any additional information below.
Cookie is set to IP address 192.168.23.131. When the VM has a different IP, the
cookie is not valid.
A solution might be to include a cookie-set script that one has to run once
when the VM is started. Example:
http://www.phpbb.com/community/viewtopic.php?t=228741
Original issue reported on code.google.com by [email protected]
on 21 Dec 2010 at 2:19
OWASP BWA comes with OWASP Mutillidae 1.5.
The latest version is 2.1.15 (released on 02/11/2012)
The difference between those two versions is dozens of bug fixes, features, new
vulnerabilities etc... as shown in the change log.
http://www.irongeek.com/i.php?page=mutillidae/change-log
Original issue reported on code.google.com by [email protected]
on 19 Feb 2012 at 8:25
root@owaspbwa:/owaspbwa/owaspbwa-svn/etc/apache2# service apache2 start
* Starting web server apache2 Syntax error on line 143 of /etc/apache2/apache2.conf:
Invalid command 'Order', perhaps misspelled or defined by a module not included
in the server configuration
[fail]
Original issue reported on code.google.com by [email protected]
on 2 May 2011 at 3:56
root@owaspbwa:~# owaspbwa-svn-update.sh
---- Stopping services ----
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql stop
--cut--
Ubuntu prefers /usr/sbin/service <service> <start/stop/restart> instead of
/etc/init.d/<service> <start/stop/restart>
Original issue reported on code.google.com by [email protected]
on 25 Apr 2011 at 10:53
It would be nice to have a non-trivial ASP.NET application (or applications) in
the VM.
One possibility is owasp-hacmebank, which is a version of Foundstone's
HacmeBank which was originally released as open source. Owasp-hacmebank is now
available at: http://code.google.com/p/owasp-hacmebank/.
This is a Windows .NET application that probably assumes a MSSQL back end
database. If we could make the thing work with MySQL or PostgreSQL, it would
be nice, but it will likely be a bit of work.
Other .NET applications that may be candidates are listed at
http://www.asp.net/community/projects.
Original issue reported on code.google.com by [email protected]
on 26 Apr 2011 at 1:17
Files in /etc/apache2/mods-enabled are supposed to be symlinks to files in
/etc/apache2/mods-available. They are symlinks in the release VMs, but the
files are also in SVN as actual data files, which is confusing SVN updates.
Need to remove files from SVN, but leave symlinks on next release.
Original issue reported on code.google.com by [email protected]
on 29 Apr 2011 at 12:53
[deleted issue]
add tikiwiki 1.9.5
Original issue reported on code.google.com by [email protected]
on 21 Apr 2011 at 12:39
gallery2:
mysql:
create user gallery2@localhost identified by 'gallery2';
grant all privileges on gallery2.* to 'gallery2'@'localhost';
users:
admin/admin
user/user
Original issue reported on code.google.com by [email protected]
on 20 Apr 2011 at 5:35
Attachments:
WackoPicko is a realistic application created with intentional vulnerabilities
for research on web application scanners. Would be nice to include this in the
VM.
More info at:
https://github.com/adamdoupe/WackoPicko
Original issue reported on code.google.com by [email protected]
on 26 Apr 2011 at 2:47
[deleted issue]
Albino created a training app / game called Hackxor that should be easy to
incorporate into the VM (he even made a script to automate the process). For
more information, see:
https://sourceforge.net/projects/hackxor/files/
http://groups.google.com/group/owaspbwa/browse_thread/thread/d9348bcdef19d185#
http://hackxor.sourceforge.net (playable online version of the first couple
levels).
Original issue reported on code.google.com by [email protected]
on 27 Apr 2011 at 1:58
[deleted issue]
Currently, HTTP does not appear to be built into the svn binary compiled from
source. Need to fix that so that users can svn update / etc from the command
line.
Original issue reported on code.google.com by [email protected]
on 28 Mar 2012 at 1:24
to keep everything consistent and clean, move the mandiant.png file from
/var/www to /var/www/images/
Original issue reported on code.google.com by [email protected]
on 21 Apr 2011 at 6:35
[deleted issue]
BodgeIt Store is a relatively new vulnerable web application by the author of
the OWASP ZAP. It is written entirely in JSP. Should look at it for inclusion
on the VM. More info at:
http://code.google.com/p/bodgeit/
Original issue reported on code.google.com by [email protected]
on 26 Apr 2011 at 2:03
[deleted issue]
There is a reflected XSS issue in the OWASP Vicnum application
http://ip/vicnum/. On that page, when you enter a name
of "Name<script>alert(123)</script> and press "Play", the script will run
on the next page (http://ip/vicnum/cgi-bin/vicnum1.pl).
Original issue reported on code.google.com by [email protected]
on 25 Oct 2009 at 12:54
Attached is a proposed new index file.
I tried to sort the information out a little better, while not overwhelming the
user. I added some color as well.
Original issue reported on code.google.com by [email protected]
on 17 Apr 2011 at 1:41
Attachments:
[deleted issue]
[deleted issue]
When running owaspbwa-svn-update.sh if any other .sh files are updated, the +x
permission is lost, making the script bomb out.
Original issue reported on code.google.com by [email protected]
on 2 May 2011 at 3:42
DVWA is now in SVN at http://dvwa.googlecode.com/svn/trunk/. Should update VM
to check out from that location.
Original issue reported on code.google.com by [email protected]
on 25 Jan 2012 at 1:51
The /etc/hosts file is not in SVN... it should be added. In also needs to be
updated for the hackxor application which uses several host names.
Original issue reported on code.google.com by [email protected]
on 29 Apr 2011 at 1:08
To spice things up a bit, I added two plugins to WordPress (mygallery,
spreadsheet). Also made a post on the front page about it. Most people are
running atleast one plug-in, so I thought this gave a more 'real world'
perspective. Also, both plug-ins suffer from vulenrabilities.
http://www.exploit-db.com/exploits/3814/
http://www.exploit-db.com/exploits/5486/
exploit:
http://owaspbwa/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+
union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_use
rs--
the RFI will take some more work, but the vulnerable page is:
http://owaspbwa/wordpress/wp-content/plugins/mygallery/myfunctions/mygallerybrow
ser.php
You can remove the .zip plugin files from /var/www/wordpress/wp-content/plugins
to save some space.
If this gets added, let me know and i'll update vuln_list.html!
Original issue reported on code.google.com by [email protected]
on 20 Apr 2011 at 4:04
Attachments:
webcal 1.0.3
mysql:
create user 'webcal'@'localhost' identified by 'webcal';
grant all privileges on webcal.* to 'webcal'@'localhost';
users:
admin/admin
user/user
assistant/assistant
Original issue reported on code.google.com by [email protected]
on 20 Apr 2011 at 2:12
Attachments:
Would be nice to include application(s) written in Python. Perhaps an old
version of Django and/or Zope.
Original issue reported on code.google.com by [email protected]
on 26 Apr 2011 at 2:51
The OWASP Zed Attack Proxy (ZAP) project has created some example web
applications with vulnerabilities for demoing ZAP. These should be looked at
to see if they should be included in the VM.
They can be downloaded from:
http://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip&can=2&q=
OR, it may be preferable to sync directly to their SVN repo at
http://zaproxy.googlecode.com/svn/trunk/wave/.
Original issue reported on code.google.com by [email protected]
on 26 Apr 2011 at 1:59
Would like one or more applications that use PostgreSQL or some other database
engine (other than MySQL that is used by most applications). Application(s)
should also have SQL injection vulnerabilities in order to provide an
opportunity for experimenting with the differences in SQL syntax between
different database servers.
Original issue reported on code.google.com by [email protected]
on 26 Apr 2011 at 1:20
Add Joomla 1.5.15
http://www.joomla.org/announcements/release-news/5249-joomla-1515-released.html
and some vulnerable plugins/components.
Original issue reported on code.google.com by [email protected]
on 21 Apr 2011 at 6:11
In 0.94alpha1, visiting http://owaspbwa/awstats/awstats.pl?config=owaspbwa
returns a 404. Need to investigate what is going wrong there.
Original issue reported on code.google.com by [email protected]
on 2 May 2011 at 3:15
Would like to add some Java applications that are more like applications that
you'll find in a typical enterprise. That is, applications that use one or
more of the following frameworks / libraries:
- Struts1
- Struts2
- Spring
- Hibernate
- Ibatis/MyBatis
Original issue reported on code.google.com by [email protected]
on 26 Apr 2011 at 2:37
Look at other apps that are not currently pulled from source repos and see if
they can be pulled directly or if they need to be updated.
Includes:
- AppSensor
- CSRFGuard
- Likely others.
Original issue reported on code.google.com by [email protected]
on 28 Mar 2012 at 1:45
What steps will reproduce the problem?
1. Download, unpack, and start VM
2. Click link to OrangeHRM
What is the expected output? What do you see instead?
Expected: login screen
Output: XSLT error
What version of the product are you using? On what operating system?
0.92rc2 in VMWare player 3.1.3 build-324285
Please provide any additional information below.
URL displayed: http://192.168.109.133/orangehrm/login.php
Error shown:
<?xml version='1.0' encoding='iso-8859-1'?>
<?xml-stylesheet href='/error.xsl' type='text/xsl'?>
<report>
<heading>Warning</heading>
<type>warning</type>
<message><![CDATA[include(lang_default_benefits.php): failed to open stream: No such file or directory]]></message>
<root>/owaspbwa/owaspbwa-svn/var/www/orangehrm</root>
<Wroot></Wroot>
<stylesheet>beyondT</stylesheet>
<logPath><![CDATA[/owaspbwa/owaspbwa-svn/var/www/orangehrm/lib/logs/]]></logPath>
<cause>
<message><![CDATA[Encountered the problem in /owaspbwa/owaspbwa-svn/var/www/orangehrm/language/nl/lang_nl_full.php]]></message>
</cause>
<cause>
<message><![CDATA[Line 1712]]></message>
</cause>
<environment>
<version type='ohrm' description='OrangeHRM' ><![CDATA[2.4.2]]></version>
<version type='php' description='PHP' ><![CDATA[5.3.2-1ubuntu4.5]]></version>
<version type='mysql' description='MySQL Client' ><![CDATA[5.1.41]]></version>
<info type='memory_limit' description='Memory limit' ><![CDATA[128M]]></info>
<info type='session.gc_maxlifetime' description='Maximum session lifetime' ><![CDATA[1440]]></info>
</environment>
<cmd n='js'><![CDATA[alert('Warning :\ninclude(lang_default_benefits.php): failed to open stream: No such file or directory\nin /owaspbwa/owaspbwa-svn/var/www/orangehrm/language/nl/lang_nl_full.php\non line 1712');]]></cmd>
</report>
Original issue reported on code.google.com by [email protected]
on 6 Dec 2010 at 11:09
The Peruggia application works ok at first, but once you upload a new image
file, the ability to comment on images no longer works. It isn't clear to me
if this is a problem with how the application is set up in OWASP BWA or if the
original application has the issue. This needs more research.
Original issue reported on code.google.com by [email protected]
on 20 Jan 2011 at 8:56
I have done a few minor adjustments for cross browser compatibility. Also
added a logo at the top for owasp, created a vuln_list.html file with as many
vuln as I could find/prove for myself. Made the links between the index.html
file and the vuln_list. Also added webcal to the list in index.html as well as
making that table 2 wide.
http://sourceforge.net/apps/trac/owaspbwa/report/1 could use a refresh also
with the vulnerabilities identified.
Original issue reported on code.google.com by [email protected]
on 18 Apr 2011 at 8:19
Attachments:
Do we want to include these? I can put them in, just didn't know if we wanted
these additional items as 'training' environments.
http://google-gruyere.appspot.com/part1
https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project#tab=Main
I see the OWASP-IWAP is orphaned. Maybe that gets sucked into this project?
I'm no programmer, but if we can at least get it running I think it would help
everyone out.
Original issue reported on code.google.com by [email protected]
on 21 Apr 2011 at 3:04
VM is running ModSecurity from Ubuntu packages, which is 2.5.11. Would be nice
to upgrade for 1.0 release.
Original issue reported on code.google.com by [email protected]
on 25 Jan 2012 at 1:37
I vaguely remember that the way that WebGoat is built and deployed on the VM is
a bit ugly. That should be reviewed and cleaned up.
Original issue reported on code.google.com by [email protected]
on 2 May 2011 at 3:14
Seems to be due to a user permission problem, svn makes all updated files owned
by root.
Script attached can fix the issue.
Original issue reported on code.google.com by [email protected]
on 19 Apr 2011 at 11:27
Attachments:
[deleted issue]
I think awstats would be a good perl application to add.
http://sourceforge.net/projects/awstats/files/AWStats/6.4/awstats-6.4.zip/downlo
ad
6.4 has quite a few vulnerabilities including a few command injections:
http://www.exploit-db.com/exploits/9909/,
http://www.exploit-db.com/exploits/1755/,
http://www.exploit-db.com/exploits/817/ (DOS would be nice, we dont have any of
those), http://www.securityfocus.com/bid/12572, possibly
http://www.securityfocus.com/bid/10950
Original issue reported on code.google.com by [email protected]
on 25 Apr 2011 at 5:13
http://rubyforge.org/ has a bunch of ruby apps, we could pick one or two from
there. I see http://rubyforge.org/projects/redmine/ is one of the top
downloads for that. there is a command inection vuln and a csrf on
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description
=redmine&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&fil
ter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
Original issue reported on code.google.com by [email protected]
on 25 Apr 2011 at 5:29
Would like to add application(s) that use Adobe Flash on the client side.
Specifically looking for applications that use the AMF (Action Message Format)
instead of standard HTTP for communication.
Some candidate applications can be found under "Flash Applications" at
http://osflash.org/open_source_flash_projects.
Original issue reported on code.google.com by [email protected]
on 26 Apr 2011 at 1:54
Reported by user:
It would appear that a PHP upgrade has broken the RFI vulnerabilities within
the various applications as the "/etc/PHP5/php.ini" contains the following line:
allow_url_include=Off
Should be able to change the above line and get RFI working again.
Original issue reported on code.google.com by [email protected]
on 25 Jan 2012 at 2:08
I noticed that all the tomcat apps we currently have respond on port 80, yet
tomcat is on 8080. When i installed the 2 new .war files, they only respond on
8080. How are you doing the redirect?
Original issue reported on code.google.com by [email protected]
on 26 Apr 2011 at 10:51
After seeing Rapid7's post about setting up a lab with UltimateLAMP (last
updated ~2006), I wanted to attempt to get some more old web apps in BWA.
There is no reason to use a product that is 5yrs old when this one should work
much better.
I will start work on adding some of the web applications that UltimateLAMP has,
that OWASPBWA is missing.
My list starts as follows:
TextPattern (4.0.3)
Serendipity (0.9.1) ->
http://prdownloads.sourceforge.net/php-blog/serendipity-0.9.1.tar.gz?download
MediaWiki (1.6.5) -> version .3 and .8 http://dumps.wikimedia.org/mediawiki/1.6/
TikiWiki (1.9.3.1) -> 1.9.11
http://sourceforge.net/projects/tikiwiki/files/TikiWiki%201.9.x%20-Sirius-/tiki%
201.9.11/tikiwiki-1.9.11.tar.gz/download
PHP Gallery (2.1.1a) -> http://gallery.menalto.com/gallery_2.1.1_released
Moodle (1.5.3) ->
http://download.moodle.org/download.php/stable15/moodle-1.5.3.tgz
OsCommerce (2.2m2) -> http://www.exploit-db.com/application/15472/
Zen Cart (1.3.0) ->
http://sourceforge.net/projects/zencart/files/CURRENT_%20Zen%20Cart%201.3.x%20Se
ries/Zen%20Cart%20v1.3.0.0%20-%20Initial%20Release/
PhpWebSite (0.10.2)
Joomla (1.0.1)
eGroupWare (1.2.1)
Drupal (4.7.0) -> http://ftp.drupal.org/files/projects/drupal-4.7.0.tar.gz
Sugar CRM (4.2.0) ->
http://www.sugarforge.org/frs/download.php/1365/SugarSuite-4.2.0d.zip
Owl (0.90)
WebCalendar (1.0.3) ->
http://sourceforge.net/projects/webcalendar/files/webcalendar%201.0/1.0.3/WebCal
endar-1.0.3.tar.gz/download
Dot Project (2.0.2) ->
http://sourceforge.net/projects/dotproject/files/dotproject/dotProject%20version
%202.0.2/dotproject-v2.0.2.tar.gz/download
PhpAdsNew (2.0.8) ->
http://sourceforge.net/projects/phpadsnew/files/Current%20Release/phpAdsNew%202.
0.8-pr1/phpAdsNew-2.0.8-pr1.tar.gz/download
Bugzilla (2.22) ->
http://ftp.mozilla.org/pub/mozilla.org/webtools/archived/bugzilla-2.22.tar.gz
PhpMyAdmin (2.8.0.3)
Webmin (1.270) ->
http://sourceforge.net/projects/webadmin/files/webmin/1.270/webmin-1.270.tar.gz/
download
I would also like to make the index page for OWASPBWA better organized. I much
prefer the UltimateLAMP version, it is just prettier and more organized in my
opinion.
Original issue reported on code.google.com by [email protected]
on 15 Apr 2011 at 11:29
[deleted issue]
owaspbwa-delete-temp-and-log-files.sh calls mvn clean for webgoat. This ends
up downloading some files from the Internet, which makes the script take a bit
longer than it should and may also be cluttering up the disk rather than
cleaning it up. Need to investigate this and correct.
Original issue reported on code.google.com by [email protected]
on 2 May 2011 at 2:24
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.