The Web Application Vulnerability Scanner Evaluation Project
Estas son algunas características:
Project WAVSEP currently includes the following test cases:
Vulnerabilities:- Path Traversal/LFI: 816 test cases, implemented in 816 jsp pages (GET & POST)
- Remote File Inclusion (XSS via RFI): 108 test cases, implemented in 108 jsp pages (GET & POST)
- Reflected XSS: 66 test cases, implemented in 64 jsp pages (GET & POST)
- Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST)
- Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST)
- Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST)
- Passive Information Disclosure/Session Vulnerabilities (inspired/imported from ZAP-WAVE): 3 test cases of erroneous information leakage, and 2 cases of improper authentication / information disclosure - implemented in 5 jsp pages
- Experimental Tase Cases (inspired/imported from ZAP-WAVE): 9 additional RXSS test cases (anticsrf tokens, secret input vectors, tag signatures, etc), and 2 additional SQLi test cases (INSERT) - implemented in 11 jsp pages (GET & POST)
- 7 different categories of false positive Reflected XSS vulnerabilities (GET & POST )
- 10 different categories of false positive SQL Injection vulnerabilities (GET & POST)
- 8 different categories of false positive path traversal/LFI vulnerabilities (GET & POST)
- 6 different categories of false positive remote file inclusion vulnerabilities (GET & POST)
- A simple web interface for accessing the vulnerable pages
- An auto-installer for the mysql database schema (/wavsep-install/install.jsp)
- Sample detection & exploitation payloads for each and every test case
- Database connection pool support, ensuring the consistency of scanning results
Installation
(@) Use a JRE/JDK that was installed using an offline installation (the online installation caused unknown bugs for some users).(1) Download & install Apache Tomcat 6.x
(2) Download & install MySQL Community Server 5.5.x (Remember to enable remote root access if not in the same station as wavsep, and to choose a root password that you remember).
(3) Copy the wavsep.war file into the tomcat webapps directory (Usually "C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps" - Windows 32/64 Installer)
(4) Restart the application server
(5) On WinXP, as long as you are using a high privileged user - you can skip this phase, on Win7, make sure you run the tomcat server with administrative privileges (right click on and execute),and on Ubuntu Linux, run the following commands:
sudo mkdir /var/lib/tomcat6/db(6) Initiate the install script at: http://localhost:8080/wavsep/wavsep-install/install.jsp
sudo chown tomcat6:tomcat6 /var/lib/tomcat6/db/
(7) Provide the database host, port and root credentials to the installation script, in additional to customizable wavsep database user credentials.
(8) Access the application at: http://localhost:8080/wavsep/
Estare probandola y comentare que tal su funcionamiento.
Saludos roboticos.
Fuentes:
https://code.google.com/p/wavsep/
http://www.n0where.net/2012/07/wavsep-v12.html
Entradas
No hay comentarios:
Publicar un comentario