wrotki / owaspbwa Goto Github PK

Reported by user:

It would appear that a PHP upgrade has broken the RFI vulnerabilities within 
the various applications as the "/etc/PHP5/php.ini" contains the following line:

allow_url_include=Off

Should be able to change the above line and get RFI working again.

[deleted issue]

After seeing Rapid7's post about setting up a lab with UltimateLAMP (last 
updated ~2006), I wanted to attempt to get some more old web apps in BWA.  
There is no reason to use a product that is 5yrs old when this one should work 
much better.  
I will start work on adding some of the web applications that UltimateLAMP has, 
that OWASPBWA is missing.
My list starts as follows:

TextPattern (4.0.3)
Serendipity (0.9.1) -> 
http://prdownloads.sourceforge.net/php-blog/serendipity-0.9.1.tar.gz?download
MediaWiki (1.6.5) -> version .3 and .8 http://dumps.wikimedia.org/mediawiki/1.6/
TikiWiki (1.9.3.1) -> 1.9.11 
http://sourceforge.net/projects/tikiwiki/files/TikiWiki%201.9.x%20-Sirius-/tiki%
201.9.11/tikiwiki-1.9.11.tar.gz/download
PHP Gallery (2.1.1a) -> http://gallery.menalto.com/gallery_2.1.1_released
Moodle (1.5.3) -> 
http://download.moodle.org/download.php/stable15/moodle-1.5.3.tgz
OsCommerce (2.2m2) -> http://www.exploit-db.com/application/15472/
Zen Cart (1.3.0) -> 
http://sourceforge.net/projects/zencart/files/CURRENT_%20Zen%20Cart%201.3.x%20Se
ries/Zen%20Cart%20v1.3.0.0%20-%20Initial%20Release/
PhpWebSite (0.10.2)
Joomla (1.0.1)
eGroupWare (1.2.1)
Drupal (4.7.0) -> http://ftp.drupal.org/files/projects/drupal-4.7.0.tar.gz
Sugar CRM (4.2.0) -> 
http://www.sugarforge.org/frs/download.php/1365/SugarSuite-4.2.0d.zip
Owl (0.90)
WebCalendar (1.0.3) -> 
http://sourceforge.net/projects/webcalendar/files/webcalendar%201.0/1.0.3/WebCal
endar-1.0.3.tar.gz/download
Dot Project (2.0.2) -> 
http://sourceforge.net/projects/dotproject/files/dotproject/dotProject%20version
%202.0.2/dotproject-v2.0.2.tar.gz/download
PhpAdsNew (2.0.8) -> 
http://sourceforge.net/projects/phpadsnew/files/Current%20Release/phpAdsNew%202.
0.8-pr1/phpAdsNew-2.0.8-pr1.tar.gz/download
Bugzilla (2.22) -> 
http://ftp.mozilla.org/pub/mozilla.org/webtools/archived/bugzilla-2.22.tar.gz
PhpMyAdmin (2.8.0.3)
Webmin (1.270) -> 
http://sourceforge.net/projects/webadmin/files/webmin/1.270/webmin-1.270.tar.gz/
download

I would also like to make the index page for OWASPBWA better organized.  I much 
prefer the UltimateLAMP version, it is just prettier and more organized in my 
opinion.

[deleted issue]

WackoPicko is a realistic application created with intentional vulnerabilities 
for research on web application scanners.  Would be nice to include this in the 
VM.

More info at:

https://github.com/adamdoupe/WackoPicko

Do we want to include these?  I can put them in, just didn't know if we wanted 
these additional items as 'training' environments.

http://google-gruyere.appspot.com/part1
https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project#tab=Main

I see the OWASP-IWAP is orphaned.  Maybe that gets sucked into this project?  
I'm no programmer, but if we can at least get it running I think it would help 
everyone out.

Attached is a proposed new index file.

I tried to sort the information out a little better, while not overwhelming the 
user.  I added some color as well.

What steps will reproduce the problem?
1. open phpBB
2. log in

What is the expected output? What do you see instead?
Expected to be logged in, but instead redirected to login page.

What version of the product are you using? On what operating system?
0.92rc2

Please provide any additional information below.
Cookie is set to IP address 192.168.23.131. When the VM has a different IP, the 
cookie is not valid.

A solution might be to include a cookie-set script that one has to run once 
when the VM is started. Example: 
http://www.phpbb.com/community/viewtopic.php?t=228741

to keep everything consistent and clean, move the mandiant.png file from 
/var/www to /var/www/images/

owaspbwa-delete-temp-and-log-files.sh calls mvn clean for webgoat.  This ends 
up downloading some files from the Internet, which makes the script take a bit 
longer than it should and may also be cluttering up the disk rather than 
cleaning it up.  Need to investigate this and correct.

I vaguely remember that the way that WebGoat is built and deployed on the VM is 
a bit ugly. That should be reviewed and cleaned up.

DVWA is now in SVN at http://dvwa.googlecode.com/svn/trunk/.  Should update VM 
to check out from that location.

Would like one or more applications that use PostgreSQL or some other database 
engine (other than MySQL that is used by most applications).  Application(s) 
should also have SQL injection vulnerabilities in order to provide an 
opportunity for experimenting with the differences in SQL syntax between 
different database servers.

gallery2:

mysql:
create user gallery2@localhost identified by 'gallery2';
grant all privileges on gallery2.* to 'gallery2'@'localhost';

users:
admin/admin
user/user

Look at other apps that are not currently pulled from source repos and see if 
they can be pulled directly or if they need to be updated.

Includes:
- AppSensor
- CSRFGuard
- Likely others.

Albino created a training app / game called Hackxor that should be easy to 
incorporate into the VM (he even made a script to automate the process).  For 
more information, see:

https://sourceforge.net/projects/hackxor/files/ 

http://groups.google.com/group/owaspbwa/browse_thread/thread/d9348bcdef19d185#

http://hackxor.sourceforge.net (playable online version of the first couple 
levels).

In 0.94alpha1, visiting http://owaspbwa/awstats/awstats.pl?config=owaspbwa 
returns a 404.  Need to investigate what is going wrong there.

Would be nice to include application(s) written in Python.  Perhaps an old 
version of Django and/or Zope.

[deleted issue]

[deleted issue]

It would be nice to have a non-trivial ASP.NET application (or applications) in 
the VM.

One possibility is owasp-hacmebank, which is a version of Foundstone's 
HacmeBank which was originally released as open source.  Owasp-hacmebank is now 
available at: http://code.google.com/p/owasp-hacmebank/.

This is a Windows .NET application that probably assumes a MSSQL back end 
database.  If we could make the thing work with MySQL or PostgreSQL, it would 
be nice, but it will likely be a bit of work.

Other .NET applications that may be candidates are listed at 
http://www.asp.net/community/projects.

OWASP BWA comes with OWASP Mutillidae 1.5.
The latest version is 2.1.15 (released on 02/11/2012)

The difference between those two versions is dozens of bug fixes, features, new 
vulnerabilities etc... as shown in the change log. 

http://www.irongeek.com/i.php?page=mutillidae/change-log

[deleted issue]

Would like to add some Java applications that are more like applications that 
you'll find in a typical enterprise.  That is, applications that use one or 
more of the following frameworks / libraries:

- Struts1
- Struts2
- Spring
- Hibernate
- Ibatis/MyBatis

root@owaspbwa:~# owaspbwa-svn-update.sh
---- Stopping services ----
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql stop

--cut--



Ubuntu prefers /usr/sbin/service <service> <start/stop/restart> instead of 
/etc/init.d/<service> <start/stop/restart>

When running owaspbwa-svn-update.sh if any other .sh files are updated, the +x 
permission is lost, making the script bomb out.

Seems to be due to a user permission problem, svn makes all updated files owned 
by root.

Script attached can fix the issue.

What steps will reproduce the problem?
1. Download, unpack, and start VM
2. Click link to OrangeHRM

What is the expected output? What do you see instead?
Expected: login screen
Output: XSLT error

What version of the product are you using? On what operating system?
0.92rc2 in VMWare player 3.1.3 build-324285

Please provide any additional information below.
URL displayed: http://192.168.109.133/orangehrm/login.php
Error shown:
<?xml version='1.0' encoding='iso-8859-1'?>
<?xml-stylesheet href='/error.xsl' type='text/xsl'?>
<report>
    <heading>Warning</heading>
    <type>warning</type>
    <message><![CDATA[include(lang_default_benefits.php): failed to open stream: No such file or directory]]></message>
    <root>/owaspbwa/owaspbwa-svn/var/www/orangehrm</root>
    <Wroot></Wroot>
   <stylesheet>beyondT</stylesheet>

    <logPath><![CDATA[/owaspbwa/owaspbwa-svn/var/www/orangehrm/lib/logs/]]></logPath>
    <cause>
        <message><![CDATA[Encountered the problem in /owaspbwa/owaspbwa-svn/var/www/orangehrm/language/nl/lang_nl_full.php]]></message>
    </cause>
    <cause>
        <message><![CDATA[Line 1712]]></message>
    </cause>
    <environment>
        <version type='ohrm' description='OrangeHRM' ><![CDATA[2.4.2]]></version>

        <version type='php' description='PHP' ><![CDATA[5.3.2-1ubuntu4.5]]></version>
        <version type='mysql' description='MySQL Client' ><![CDATA[5.1.41]]></version>
        <info type='memory_limit' description='Memory limit' ><![CDATA[128M]]></info>
        <info type='session.gc_maxlifetime' description='Maximum session lifetime' ><![CDATA[1440]]></info>
    </environment>
    <cmd n='js'><![CDATA[alert('Warning :\ninclude(lang_default_benefits.php): failed to open stream: No such file or directory\nin /owaspbwa/owaspbwa-svn/var/www/orangehrm/language/nl/lang_nl_full.php\non line 1712');]]></cmd>
</report>

Currently, HTTP does not appear to be built into the svn binary compiled from 
source.  Need to fix that so that users can svn update / etc from the command 
line.

Would like to add application(s) that use Adobe Flash on the client side.  
Specifically looking for applications that use the AMF (Action Message Format) 
instead of standard HTTP for communication.

Some candidate applications can be found under "Flash Applications" at 
http://osflash.org/open_source_flash_projects.

Files in /etc/apache2/mods-enabled are supposed to be symlinks to files in 
/etc/apache2/mods-available.  They are symlinks in the release VMs, but the 
files are also in SVN as actual data files, which is confusing SVN updates.  
Need to remove files from SVN, but leave symlinks on next release.

There is a reflected XSS issue in the OWASP Vicnum application
http://ip/vicnum/.  On that page, when you enter a name
of "Name<script>alert(123)</script> and press "Play", the script will run
on the next page (http://ip/vicnum/cgi-bin/vicnum1.pl).

root@owaspbwa:/owaspbwa/owaspbwa-svn/etc/apache2# service apache2 start
 * Starting web server apache2                                                                                                                               Syntax error on line 143 of /etc/apache2/apache2.conf:
Invalid command 'Order', perhaps misspelled or defined by a module not included 
in the server configuration
                                                                                                                                                      [fail]

Add Joomla 1.5.15 
http://www.joomla.org/announcements/release-news/5249-joomla-1515-released.html 
and some vulnerable plugins/components.

I have done a few minor adjustments for cross browser compatibility.  Also 
added a logo at the top for owasp, created a vuln_list.html file with as many 
vuln as I could find/prove for myself.  Made the links between the index.html 
file and the vuln_list. Also added webcal to the list in index.html as well as 
making that table 2 wide.

http://sourceforge.net/apps/trac/owaspbwa/report/1 could use a refresh also 
with the vulnerabilities identified.

webcal 1.0.3

mysql:
create user 'webcal'@'localhost' identified by 'webcal';
grant all privileges on webcal.* to 'webcal'@'localhost';

users:
admin/admin
user/user
assistant/assistant

I noticed that all the tomcat apps we currently have respond on port 80, yet 
tomcat is on 8080.  When i installed the 2 new .war files, they only respond on 
8080.  How are you doing the redirect?

The /etc/hosts file is not in SVN... it should be added.  In also needs to be 
updated for the hackxor application which uses several host names.

To spice things up a bit, I added two plugins to WordPress (mygallery, 
spreadsheet). Also made a post on the front page about it.  Most people are 
running atleast one plug-in, so I thought this gave a more 'real world' 
perspective.  Also, both plug-ins suffer from vulenrabilities.

http://www.exploit-db.com/exploits/3814/
http://www.exploit-db.com/exploits/5486/

exploit: 
http://owaspbwa/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+
union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_use
rs--

the RFI will take some more work, but the vulnerable page is: 
http://owaspbwa/wordpress/wp-content/plugins/mygallery/myfunctions/mygallerybrow
ser.php

You can remove the .zip plugin files from /var/www/wordpress/wp-content/plugins 
to save some space. 

If this gets added, let me know and i'll update vuln_list.html!

VM is running ModSecurity from Ubuntu packages, which is 2.5.11.  Would be nice 
to upgrade for 1.0 release.

BodgeIt Store is a relatively new vulnerable web application by the author of 
the OWASP ZAP.  It is written entirely in JSP.  Should look at it for inclusion 
on the VM.  More info at:

http://code.google.com/p/bodgeit/

add tikiwiki 1.9.5

The Peruggia application works ok at first, but once you upload a new image 
file, the ability to comment on images no longer works.  It isn't clear to me 
if this is a problem with how the application is set up in OWASP BWA or if the 
original application has the issue.  This needs more research.

[deleted issue]

The OWASP Zed Attack Proxy (ZAP) project has created some example web 
applications with vulnerabilities for demoing ZAP.  These should be looked at 
to see if they should be included in the VM.

They can be downloaded from:

http://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip&can=2&q=

OR, it may be preferable to sync directly to their SVN repo at 
http://zaproxy.googlecode.com/svn/trunk/wave/.

http://rubyforge.org/ has a bunch of ruby apps, we could pick one or two from 
there.  I see http://rubyforge.org/projects/redmine/ is one of the top 
downloads for that.  there is a command inection vuln and a csrf on 
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description
=redmine&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&fil
ter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

[deleted issue]

I think awstats would be a good perl application to add.
http://sourceforge.net/projects/awstats/files/AWStats/6.4/awstats-6.4.zip/downlo
ad

6.4 has quite a few vulnerabilities including a few command injections: 
http://www.exploit-db.com/exploits/9909/, 
http://www.exploit-db.com/exploits/1755/, 
http://www.exploit-db.com/exploits/817/ (DOS would be nice, we dont have any of 
those), http://www.securityfocus.com/bid/12572, possibly 
http://www.securityfocus.com/bid/10950

[deleted issue]

[deleted issue]