[W3af-users] deliberately vulnerable app was: run profile without target

[Vojtěch P. <kr...@gm...>]

Greetings,
thanks for resources. But why do you think that Webgoat is not a good
web app for testing W3AF? Do you think that it contains too much
vulnerabilities, which need manual investigation?
Thanks,
Vojta

Dne 1.12.2015 v 17:50 Matt Tesauro napsal(a):
> Vojtech, 
>
> I'd suggest you look at this project:
> https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
>
> In the "Off-line" tab, there's a list of apps and the technology used
> to create then.
>
> For instance, Bodgeit Store is a Java based vulnerable app:
> https://github.com/psiinon/bodgeit 
>
> Best of luck!
>
> --
> -- Matt Tesauro
> OWASP AppSec Pipeline Lead
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline 
> OWASP WTE Project Lead
> _https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project_
> http://AppSecLive.org - Community and Download site
>
>
> On Tue, Dec 1, 2015 at 7:42 AM, Vojtěch Polášek <kr...@gm...
> <mailto:kr...@gm...>> wrote:
>
>     Hi,
>     I would like to run W3AF against a commercial web application
>     which uses
>     similar technologies as Webgoat. Do you think that applications, which
>     you mentioned, will be able to provide some baseline for comparing of
>     results?
>     I need to find if W3AF can correctly detect vulnerabilities in
>     deliberately vulnerable applications before running it against the
>     commercial application.
>     Vulnerable application should be as close as possible to the
>     commercial
>     one in terms of used technologies.
>     Thank you,
>     Vojtěch Polášek
>
>
>     Dne 1.12.2015 v 14:19 Andres Riancho napsal(a):
>     > webgoat is not usually a good target for testing scanners. I would
>     > recommend other applications such as:
>     >     * http://testphp.acunetix.com/
>     >     * https://github.com/andresriancho/django-moth
>     >
>     > On Mon, Nov 30, 2015 at 3:41 PM, Vojtěch Polášek
>     <kr...@gm... <mailto:kr...@gm...>> wrote:
>     >> Greetings,
>     >> thanks for reply, i will try it out.
>     >> To be exact, I am running W3Af against Owasp Webgoat, which
>     runs on Tomcat.
>     >> Best regards,
>     >> Vojta
>     >>
>     >> Dne 30.11.2015 v 18:54 Andres Riancho napsal(a):
>     >>> Vojtěch,
>     >>>
>     >>>     Questions are welcome :)
>     >>>
>     >>>     I assume you wanted to say JavaScript instead of Java, if
>     JS is
>     >>> heavily used, then yes the web_spider is "almost useless".
>     >>>
>     >>>     Well, the scan of the target URL can't be prevented, but
>     if you
>     >>> set the URL to http://target.com/ and disable web_spider, then
>     w3af
>     >>> won't have any parameters to find vulnerabilities in and the
>     target is
>     >>> "ignored" (most likely, haven't tested it).
>     >>>
>     >>> Regards,
>     >>>
>     >>> On Mon, Nov 30, 2015 at 2:48 PM, Vojtěch Polášek
>     <kr...@gm... <mailto:kr...@gm...>> wrote:
>     >>>> Greetings,
>     >>>> my name is Vojtěch Polášek and I am a blind IT student from
>     Czech Republic.
>     >>>> As a part of my bachelor thesis, I am researching some tools for
>     >>>> security analysis of web applications. One of those tools is
>     W3AF, so
>     >>>> expect some questions in near time :-)
>     >>>> I need to perform analysis of Java application, where
>     web_spider is
>     >>>> useless. Therefore I use spider_man plugin. My question is;
>     would it be
>     >>>> possible to prevent initial scan of the URL set as target?
>     >>>> Because it does not make much sense, as all needed input is
>     facilitated
>     >>>> through spider_man.
>     >>>> Thank you for your response and best regards,
>     >>>> Vojtěch Polášek
>     >>>>
>     >>>>
>     ------------------------------------------------------------------------------
>     >>>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>     >>>> Give your users amazing mobile app experiences with Intel(R) XDK.
>     >>>> Use one codebase in this all-in-one HTML5 development
>     environment.
>     >>>> Design, debug & build mobile apps & 2D/3D high-impact games
>     for multiple OSs.
>     >>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>     >>>> _______________________________________________
>     >>>> W3af-users mailing list
>     >>>> W3a...@li...
>     <mailto:W3a...@li...>
>     >>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>     >>>
>     >>
>     >>
>     ------------------------------------------------------------------------------
>     >> Go from Idea to Many App Stores Faster with Intel(R) XDK
>     >> Give your users amazing mobile app experiences with Intel(R) XDK.
>     >> Use one codebase in this all-in-one HTML5 development environment.
>     >> Design, debug & build mobile apps & 2D/3D high-impact games for
>     multiple OSs.
>     >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>     >> _______________________________________________
>     >> W3af-users mailing list
>     >> W3a...@li...
>     <mailto:W3a...@li...>
>     >> https://lists.sourceforge.net/lists/listinfo/w3af-users
>     >
>     >
>
>
>     ------------------------------------------------------------------------------
>     Go from Idea to Many App Stores Faster with Intel(R) XDK
>     Give your users amazing mobile app experiences with Intel(R) XDK.
>     Use one codebase in this all-in-one HTML5 development environment.
>     Design, debug & build mobile apps & 2D/3D high-impact games for
>     multiple OSs.
>     http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>     _______________________________________________
>     W3af-users mailing list
>     W3a...@li...
>     <mailto:W3a...@li...>
>     https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>