Web Pen Test Honeypot

Greetings,

I am in the middle of evaluating the wide variety of web security
pen-test tools that exist. I'm currently pointing each piece of software
to a site that I have written. None of the tools are finding issues.

My task right now is to find the right tool for the job, and the job is
finding web-based security issues. Either the tools are not working, or
my site is secure. I'm not willing to put money on which of the two is
true. :)

What I need is a web application that has known security issues. I would
prefer one that was intentionally written to have scanners pointed to it
for testing the scanners.

Does such a thing exist? I hope so, because I hardly have time right now
to write even the simplest web application that has all of the various
holes that I need to test for.

If someone could point me to a "web honeypot" that I could install in my
own environment I would appreciate it.

Thanks.


--
John Evans
Administrator of kilnar.com

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

OWASPs WebScarab

On Tue, Jul 8, 2008 at 11:39 PM, John Evans <admin@...> wrote:
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

2008/7/8 John Evans <admin@...>:
Try:
http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
or one of the older versions of awstats, phpBB, or phpNuke that had
issues (SQL injection, command injection, php code injection.)

Tools may show up some faults, but they won't find them all - but to be sure
you should really do a source code audit.

cheers,
 Jamie
--
Jamie Riden / jamesr@... / jamie@...
UK Honeynet Project: http://www.ukhoneynet.org/

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Dear John,

> What I need is a web application that has known security issues. I would
> prefer one that was intentionally written to have scanners pointed to it
> for testing the scanners.

though written for a slightly different purpose, OWASP's WebGoat might
be what you are looking for:

'WebGoat is a deliberately insecure J2EE web application maintained by
OWASP designed to teach web application security lessons.'

http://www.owasp.org/index.php/OWASP_WebGoat_Project

HTH,
Mathias
--
Mathias Huber, stellv. Chefredakteur Linux-Magazin Online
Linux New Media AG, Putzbrunner Str. 71, D-81739 Muenchen
Phone: +49 89 9934 1147  Fax: +49 89 9934 1198
mhuber@... - http://www.linux-magazin.de
-----------------------------------------------------------
Sitz der Gesellschaft: Putzbrunner Str. 71, 81739 Muenchen
Amtsgericht Muenchen: HRB 129161
Vorstand: Rosemarie Schuster, Hermann Plank
Aufsichtsratsvorsitzender: Rudolf Strobl

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

> What I need is a web application that has known security issues. I would
> prefer one that was intentionally written to have scanners pointed to it
> for testing the scanners.

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
http://hackme.ntobjectives.com/

Be aware that most of the tools out there have been tested against these
test sites already and will find most of their vulnerabilities.  It's not
really a realistic evaluation of how they will fare against your site and
its applications.  But it will definitely put high-severity findings on the
report.

PaulM




-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Most security tools are tuned to find issues in commonly-known sites
like Webgoat and the vendor test sites. Hence, that might not be your
best target for evaluation. You could try the OWASP SiteGenerator
project for alternate data.

If you're evaluating run-time testing tools for just one site or a set
of sites that you or your company maintain, you can't do any better
than testing the tools against your own code since that's what you'll
be doing long-term, anyway. If you're concerned that the tools aren't
finding anything and you're getting a lot of false negatives, get the
vendors involved in the configuration + crawl phase or find an expert
in the open-source tool you're evaluating and hire them for some
consulting hours.

-j

On Tue, Jul 8, 2008 at 2:39 PM, John Evans <admin@...> wrote:
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

I believe IBM/Watchfire (now called 'IBM Rational Scan') has a site that's stood up exclusively for webappsec demo'ing purposes. I've seen it used in various demos. It's globally available and I don't believe there's any restriction on testing against it.

URL: http://www.testfire.net

Scott Stevens
Security Consultant
En Pointe Technologies

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of John Evans
Sent: Tuesday, July 08, 2008 4:40 PM
To: webappsec@...
Subject: Web Pen Test Honeypot

Greetings,

I am in the middle of evaluating the wide variety of web security
pen-test tools that exist. I'm currently pointing each piece of software
to a site that I have written. None of the tools are finding issues.

My task right now is to find the right tool for the job, and the job is
finding web-based security issues. Either the tools are not working, or
my site is secure. I'm not willing to put money on which of the two is
true. :)

What I need is a web application that has known security issues. I would
prefer one that was intentionally written to have scanners pointed to it
for testing the scanners.

Does such a thing exist? I hope so, because I hardly have time right now
to write even the simplest web application that has all of the various
holes that I need to test for.

If someone could point me to a "web honeypot" that I could install in my
own environment I would appreciate it.

Thanks.


--
John Evans
Administrator of kilnar.com

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Surely you mean WebGoat?

On Fri, Jul 11, 2008 at 9:13 AM, Thanasis Kostopoulos
<a.kostopoulos@...> wrote:
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

There is another one by HP
http://zero.webappsecurity.com

Best Regards,

Saurabh A. Thakrar
Information Security Consultant-Global Security Operations and
Competency Center
Roche Diagnostics Operations, Inc.
9115 Hague Road, Bldg-P
Indianapolis, Indiana 46250-0457 USA
Phone: +1 317-521-4209
Mobile: +1 317-670-7560
mailto:saurabh.thakrar@...
Confidentiality Note: This message is intended only for the use of the
named recipient(s) and may contain confidential and/or proprietary
information. If you are not the intended recipient, please contact the
sender and delete this message. Any unauthorized use of the information
contained in this message is prohibited.
-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Stevens, Scott
Sent: Friday, July 11, 2008 12:23 PM
To: John Evans; webappsec@...
Subject: RE: Web Pen Test Honeypot

I believe IBM/Watchfire (now called 'IBM Rational Scan') has a site
that's stood up exclusively for webappsec demo'ing purposes. I've seen
it used in various demos. It's globally available and I don't believe
there's any restriction on testing against it.


URL: http://www.testfire.net

Scott Stevens
Security Consultant
En Pointe Technologies

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of John Evans
Sent: Tuesday, July 08, 2008 4:40 PM
To: webappsec@...
Subject: Web Pen Test Honeypot

Greetings,

I am in the middle of evaluating the wide variety of web security
pen-test tools that exist. I'm currently pointing each piece of software
to a site that I have written. None of the tools are finding issues.

My task right now is to find the right tool for the job, and the job is
finding web-based security issues. Either the tools are not working, or
my site is secure. I'm not willing to put money on which of the two is
true. :)

What I need is a web application that has known security issues. I would
prefer one that was intentionally written to have scanners pointed to it
for testing the scanners.

Does such a thing exist? I hope so, because I hardly have time right now
to write even the simplest web application that has all of the various
holes that I need to test for.

If someone could point me to a "web honeypot" that I could install in my
own environment I would appreciate it.

Thanks.


--
John Evans
Administrator of kilnar.com

------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process? Download
this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-


------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process? Download
this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Jeff Robertson wrote: Indeed :)
Sorry that was a hasty post :)

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Find a vulnerably version of a web application that you like, or don't like,
install it, and run your tools against it. Then review their findings,
reporting capabilities, and see what you like.

I used phpnuke and some others.

Sometimes webinspect, appscan, or even paros will find plenty of stuff -
other times, like one of my May 2008 engagements, these tools don't find any
issues, but I did find a working XSS. "working" - means I was able to do a
staged attack and steal cookies.

You can buy consultant license of either webinspect or appscan for $3k.

Well, if you are really cheap, then download trial version and fool it into
scanning your site of choice instead of their demo site. (hint: modify your
hosts file or use ip filter to do redirect)

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of James Landis
Sent: Friday, July 11, 2008 11:56 AM
To: John Evans
Cc: webappsec@...
Subject: Re: Web Pen Test Honeypot

Most security tools are tuned to find issues in commonly-known sites
like Webgoat and the vendor test sites. Hence, that might not be your
best target for evaluation. You could try the OWASP SiteGenerator
project for alternate data.

If you're evaluating run-time testing tools for just one site or a set
of sites that you or your company maintain, you can't do any better
than testing the tools against your own code since that's what you'll
be doing long-term, anyway. If you're concerned that the tools aren't
finding anything and you're getting a lot of false negatives, get the
vendors involved in the configuration + crawl phase or find an expert
in the open-source tool you're evaluating and hire them for some
consulting hours.

-j

On Tue, Jul 8, 2008 at 2:39 PM, John Evans <admin@...> wrote: in
> the development of any web application. What methodology should be
followed?
> What tools can accelerate the assessment process? Download this Whitepaper
> today!
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed? What
tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

To add one more to the fray...

Cenzic has one available off their web site.

http://crackme.cenzic.com/

Login: mary
Password: mary123


mikekaz

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------