August 28, 2009 at 1:40 am #4197
Damn Vulnerable Web App (DVWA) v1.0.5 is near completion and I am looking for some feedback/suggestions before the official release.
Theres still some things that need completeing:
Need to fix the ‘File Inclusion’ vulnerability.
Make IE friendly.
Any feedback is much appreciated! Thanks guys/girls! ;D
September 3, 2009 at 6:53 pm #26572
Downloaded for the purpose to test websecurify. It looks nice and instrumental in learning web application security.
I’m not sure if the XSS reflected section was or was not intentionally left out since I know you are still working on this version but just in case I wanted to let you know.
And another thing, I saw it some where on the web that you have tested websecurify and I wanted to know if you used it against dvwa. I tried it but it appears that this tool needs to authenticate to dvwa to fully test it. There’s no way to add login information to websecurify unless its possible to add it to the URL. Any tips you can provide? Thanks.
September 3, 2009 at 7:53 pm #26573
The reflected XSS was a SVN conflict that we had, for some reason the client didnt update those files.
v1.0.5 was officially released today wich includes the reflected XSS files. 🙂
I could never get websecurify to work with DVWA either, due to the authentication. I was hoping the main dev would have fixed it in the recent newer releases but they still did not work. I will contact him and see if he can help us out.
We also have a new homepage:
Thanks for the feedback! ;D
September 3, 2009 at 8:05 pm #26574
Hey! thanks for your speedy response. I will download the official version and hopefully in the future websecurify will work against dvwa.
Keep up the good work. DVWA is a nice piece of work. Thanks again.
September 3, 2009 at 9:34 pm #26575
As mentioned by Ketchup in
websecurify has the ability to login to the web application before testing. I didn’t see the login link underneath the URL input field.
September 3, 2009 at 9:54 pm #26576
Ok, I tested DVWA 1.0.5 using WEBSECURIFY. You first have to click on the “login to the application first” link in websecurify then supply http://127.0.0.1 and it will scan it completely.
Now, websecurify only reported CSRF, Autocomplete enabled and banner disclosure. I know this tool is in beta stage and I’m looking forward to future improvements.
September 3, 2009 at 10:00 pm #26577
I think it only shows those because its only testing login.php.
WEBSECURIFY would think that the login script was vulnerable to CSRF becuase it does not know the context of what the page is used for. The login page doesnt have ‘AUTOCOMPLETE=OFF’ in the source and the banner just comes from the webserver.
I posted on the WEBSECURIFY mailing list for some help, hopefully they will guide us in the right direction.
September 3, 2009 at 10:06 pm #26578
When WEBSECURIFY is scanning, it shows the directories that it is scanning so I assume its going through all of them. Also, I don’t know if the built-in browser remembers the security settings when I set it to low.
September 3, 2009 at 10:15 pm #26579
The WEBSECURIFY tool is not just scanning the login page but other dwva directories as well. This is indicated in the tool report.
September 3, 2009 at 10:27 pm #26580
September 3, 2009 at 10:36 pm #26581
As far as WEBSECURIFY built-in browser is concern, it does remember the security settings. If I log out of dvwa and log in again, I can see at the bottom left hand corner of the home page that the security level is set to low. Now, I’m not sure about WEBSECURIFY scanner tool. This has to be check.
September 6, 2009 at 12:13 am #26582
Im still waiting on a reply from pdp (the author) about this. Will get back to you when he gets back to me.
- You must be logged in to reply to this topic.