Build a Web App out of the servlets

[iammyr]

Python script to generate a web application XML descriptor (web.xml) and a html home page with links to all the vulnerable servlets. DAST tools can then be used to create a URL attack surface by running an automated spider on the generated home page.

[davewichers]

Myriam,

Thanks for your contribution. I had mentioned before that we were working on
building a UI for the Benchmark test cases and that work is done already, we
just haven¹t released it. So I¹m not sure if we can directly use this
contribution. We are also working on getting ZAP to scan it and would like
to release both at the same time.

Are next immediate release is going to be the scorecard generator, which I
plan to release this week. And then in the next two weeks we hope to release
the UI for the test cases.

We¹d love for you to review what we produce as soon as its released. I¹ll
let you know when that occurs.

-Dave

From: Myriam Leggieri notifications@github.com
Reply-To: OWASP/Benchmark
<reply+004c5b05f061d1c0368b7e8675022e84a0661869b5a569d092cf0000000111b376259
2a169ce0592c9ff@reply.github.com>
Date: Tuesday, July 7, 2015 at 7:12 AM
To: OWASP/Benchmark Benchmark@noreply.github.com
Subject: [Benchmark] Build a Web App out of the servlets (#4)

Python script to generate a web application XML descriptor (web.xml) and a
html home page with links to all the vulnerable servlets. DAST tools can
then be used to create a URL attack surface by running an automated spider
on the generated home page.

You can view, comment on, or merge this pull request online at:
https://github.com/OWASP/Benchmark/pull/4
Commit Summary

• python script to generate a web application XML descriptor and a html home
  page with links to all the test cases. DAST tools can be used to create a
  URL attack surface and run spider on this page.
  File Changes
• A src/main/resources/scripts/const.py
  https://github.com/OWASP/Benchmark/pull/4/files#diff-0 (69)
• A src/main/resources/scripts/index-descriptor_gen.py
  https://github.com/OWASP/Benchmark/pull/4/files#diff-1 (66)
  Patch Links:
• https://github.com/OWASP/Benchmark/pull/4.patch
• https://github.com/OWASP/Benchmark/pull/4.diff
  �
  Reply to this email directly or view it on GitHub
  https://github.com/OWASP/Benchmark/pull/4 .

[iammyr]

Hi Dave,

that's grand, no worries about it. I'll be very curious though, to see the results of a ZAP scan. I have so far tried Sqlmap with different risks and levels (and specifying hsqldb as dbms) and Burp Intruder with the "Fuzzing SQL Injection" attack payload, but both tools were not able to find any SQL injection at all. At this stage we were focusing more on SQL Injection.

Looking forward to hearing back from you about your updates. Thanks a lot!

[davewichers]

Myriam,

I do suspect that a few of the SQL Injection tests won¹t actually work
because of what is done to the request parameter before it gets to the SQL
query. But only a few and we¹d like to get those fixed or removed.

However, the bulk of the SQL injection true positive tests should work. I¹d
suggest you try a few by hand by first looking at the actual servlet code
and then crafting an attack that should work. All the complexity is in the
propagation and in some cases it should be straight flow through of source
parameter to sink with no changes so the attack should be easy to craft by
hand and verify.

-Dave

From: Myriam Leggieri notifications@github.com
Reply-To: OWASP/Benchmark
<reply+004c5b05c8f9c3e298b46bfbfa3b6ec5fe2f31e9a096d78892cf0000000111b4a7c29
2a169ce0592c9ff@reply.github.com>
Date: Wednesday, July 8, 2015 at 4:56 AM
To: OWASP/Benchmark Benchmark@noreply.github.com
Cc: Dave Wichers dwichers@gmail.com
Subject: Re: [Benchmark] Build a Web App out of the servlets (#4)

Hi Dave,

that's grand, no worries about it. I'll be very curious though, to see the
results of a ZAP scan. I have so far tried Sqlmap with different risks and
levels (and specifying hsqldb as dbms) and Burp Intruder with the "Fuzzing
SQL Injection" attack payload, but both tools were not able to find any SQL
injection at all. At this stage we were focusing more on SQL Injection.

Looking forward to hearing back from you about your updates. Thanks a lot!

�
Reply to this email directly or view it on GitHub
https://github.com/OWASP/Benchmark/pull/4#issuecomment-119504289 .