Loading...
Tuesday, July 17, 2012

Wavsep v1.2 - The Web Application Vulnerability Scanner Evaluation Project


The Web Application Vulnerability Scanner Evaluation Project

A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners.

This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners.
Important Update: as of v1.1.1, the auto-installer must be used - load war in tomcat, access URL "/wavsep/wavsep-install/install.jsp", and follow instructions (the installation scripts which are provided in the separate download are designed for legacy wavsep versions - 1.0.3/1.0).
Note: as of v1.2 - in order to get a full coverage of the path traversal test cases, the tomcat web server must run with admin/root/high privileged OS user account.
Potential Issue: Even without the LFI/RFI test cases, due to the usage of the default derby-db location, wavsep might require the tomcat user to have admin/root permissions under linux/win7. Will be fixed ASAP. An alternative (and more elegant) solution was proposed by Steve Pinkham (@spinkham) of Maven Security: making sure $CATALINA_BASE/db exists and is writable by the tomcat process. For example, on Ubuntu, that's /var/lib/tomcat6:
sudo mkdir /var/lib/tomcat6/db
sudo chown tomcat6:tomcat6 /var/lib/tomcat6/db/

Previous benchmarks performed using the platform:

SecToolMarket - A Dynamic Security Benchmark Presentation Platform
The 2012 comparison of 10 crucial aspects of 60 commercial & open source scanners
The 2011 comparison of 60 commercial & open source scanners
The 2010 comparison of 42 open source scanners

Additional information can be found in the developer's blog: http://sectooladdict.blogspot.com/
PDF files with detailed feature comparison are now hosted in the following web site: http://code.google.com/p/sectooladdict-benchmarks/

Project WAVSEP currently includes the following test cases:

Vulnerabilities:
  • Path Traversal/LFI: 816 test cases, implemented in 816 jsp pages (GET & POST)
  • Remote File Inclusion (XSS via RFI): 108 test cases, implemented in 108 jsp pages (GET & POST)
  • Reflected XSS: 66 test cases, implemented in 64 jsp pages (GET & POST)
  • Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST)
  • Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST)
  • Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST)
  • Passive Information Disclosure/Session Vulnerabilities (inspired/imported from ZAP-WAVE): 3 test cases of erroneous information leakage, and 2 cases of improper authentication / information disclosure - implemented in 5 jsp pages
  • Experimental Tase Cases (inspired/imported from ZAP-WAVE): 9 additional RXSS test cases (anticsrf tokens, secret input vectors, tag signatures, etc), and 2 additional SQLi test cases (INSERT) - implemented in 11 jsp pages (GET & POST)
False Positives:
  • 7 different categories of false positive Reflected XSS vulnerabilities (GET & POST )
  • 10 different categories of false positive SQL Injection vulnerabilities (GET & POST)
  • 8 different categories of false positive path traversal/LFI vulnerabilities (GET & POST)
  • 6 different categories of false positive remote file inclusion vulnerabilities (GET & POST)
Additional Features:
  • A simple web interface for accessing the vulnerable pages
  • An auto-installer for the mysql database schema (/wavsep-install/install.jsp)
  • Sample detection & exploitation payloads for each and every test case
  • Database connection pool support, ensuring the consistency of scanning results

Usage

Although some of the test cases are vulnerable to additional exposures, the purpose of each test case is to evaluate the detection accuracy of one type of exposure, and thus, “out of scope” exposures should be ignored when evaluating the accuracy of vulnerability scanners.


Installation

(@) Use a JRE/JDK that was installed using an offline installation (the online installation caused unknown bugs for some users).
(1) Download & install Apache Tomcat 6.x
(2) Download & install MySQL Community Server 5.5.x (Remember to enable remote root access if not in the same station as wavsep, and to choose a root password that you remember).
(3) Copy the wavsep.war file into the tomcat webapps directory (Usually "C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps" - Windows 32/64 Installer)
(4) Restart the application server
(5) On WinXP, as long as you are using a high privileged user - you can skip this phase, on Win7, make sure you run the tomcat server with administrative privileges (right click on and execute),and on Ubuntu Linux, run the following commands:

sudo mkdir /var/lib/tomcat6/db
sudo chown tomcat6:tomcat6 /var/lib/tomcat6/db/
(6) Initiate the install script at: http://localhost:8080/wavsep/wavsep-install/install.jsp
(7) Provide the database host, port and root credentials to the installation script, in additional to customizable wavsep database user credentials.
(8) Access the application at: http://localhost:8080/wavsep/



Troubleshooting Installation Issues


  • As of version v1.1.1, several installation related issues were fixed (encoding / other).
  • Make sure the JRE/JDK was installed using an offline installer.
  • Make sure the tomcat server was installed after the offline JRE/JDK installation.
  • Make sure that the mysql server was installed with remote root connection enabled, and with a firewall rule exception (options in the mysql installer).
  • If previous versions of wavsep v1.1.0+ were installed, it's best to delete the "db" folder which was created after the previous installation under the tomcat root directory - prior to installing the new version (the installation should work even without this deletion, as long as sql-related pages were not accessed in the current tomcat execution).
  • If the previous derby database was not deleted prior to the installation for whatever reason, do not access any sql-related existing pages before accessing the schema installation page.
  • On windows 7, it might be necessary to run the tomcat server with administrative permissions for the SQLi test cases installation to work properly.   

  • Changes version 1.2
    (*) Added 816 Path Traversal / Local File Inclusion test cases.
    (*) Added 8 categories of false positive Path Traversal / Local File Inclusion test cases.
    (*) Added 108 Remote File Inclusion test cases.
    (*) Added 6 categories of false positive Remote File Inclusion test cases.
    (*) Replicated 408 Path Traversal test cases to "active-form-action-version" directory,
    and altered them to include the action property in forms.
    (*) Created a platform for easily implementing test cases for 4+ additional vulnerabilities Open Redirect, Insecure Forward/File Enumeration, Code LFI, Code RFI, etc) - will be implemented in future versions of wavsep (now implemented as false lfi/rfi test cases).
    (*) Fixed a few minor spelling issues.
    (*) Updated the main index page and several other index pages.
    (*) Added documentation on the admin/root permissions required to run wavsep (the tomcat user should be granted permissions on the /db/ folder under tomcat/eclipse root, or root/admin privileges - recommended for better coverage of lfi/rfi test cases).



    Download Version :
    A war file containing the WAVSEP application (v1.2)
    wavsep-v1.2-war.zip (4.4 MB) Application
    Download other version
    For more information -


    Visit website -
    http://code.google.com/p/wavsep/



    0 comments:

    Post a Comment

     
    TOP