Hi everybody, we just released a new version of WATOBO due to some important bug fixes. Get it at:

http://sourceforge.net/projects/watobo/files/watobo_0.9.6rev270.zip/download == Version 0.9.6 Build 270 == -- Fixes -- ProxyDialog: AddProxy-Crash Scanner: No Port Probe For Target If Proxy Is Set Session: Fixed NTLM-Authentication WATOBO is intended to enable security professionals to perform highly efficient (semi-automated) web application security audits. -- Documentation -- Watch the video tutorials on our project page for further information:

<http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Videos>. There's an almost complete documentation with also very good lessons on aldeid at:

<http://www.aldeid.com/index.php/Watobo>  - thanks Sebastien! We hope you find WATOBO useful! If you find a bug, have a feature request or simply want to tell some success stories please send a mail to watobo@siberas.de. Regards, Andy

As seen on the great SecurityDatabase web site:  http://www.security-database.com/

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Damn Vulnerable Web App (DVWA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Version v1.0.6

Fixed a bug where the logo would not show on first time use. 03/09/2009 (ethicalhack3r)
Removed ’current password’ input box for low+med CSRF security. 03/09/2009 (ethicalhack3r)
Added an article which was written for OWASP Turkey. 03/10/2009 (ethicalhack3r)
Added more toubleshooting information. 02/10/2009 (ethicalhack3r)
Stored XSS high now sanitises output. 02/10/2009 (ethicalhack3r)
Fixed a ’bug’ in XSS stored low which made it not vulnerable. 02/10/2009 (ethicalhack3r)
Rewritten command execution high to use a whitelist. 30/09/09 (ethicalhack3r)
Fixed a command execution vulnerability in exec high. 17/09/09 (ethicalhack3r)
Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (ethicalhack3r)
Added the upload directory to the upload help. 17/09/09 (ethicalhack3r)

Vulnerabilities

SQL Injection
XSS Stored/Reflected
LFI (Local File Inclusion)
RFI (Remote File Inclusion)
Command Execution
Upload Script
Login Brute Force
Full Path Disclosure
PHP-IDS
And much more...

Installation

Installation video: YouTube
Default username = admin Default password = password

Database Setup To set up the database, simply click on the Setup button in the main menu, then click on the ’Create / Reset Database’ button. This will create / reset the database for you with some data in.

If you receive an error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php

$_DVWA[ 'db_user' ] = 'your_database_username'; $_DVWA[ 'db_password' ] = 'your_database_password'; $_DVWA[ 'db_database' ] = 'your_database_name';
Everyone is welcome to contribute and help make DVWA as successful as it can be. With out the DVWA community DVWA would not be what it is today.

More information, Official Web Site: DVWA

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit.

They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.  The Top 25 list is a tool for education and awareness to help programmers toprevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped.  

Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses.

Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software. 

The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/).

MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, andarchitecture errors that can lead to exploitable vulnerabilities.

The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from moreconcrete weaknesses. This year's Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. The new version introduces focus profiles that allowdevelopers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also adds a small set of the most effective "Monster Mitigations," which help developers to reduce or eliminateentire groups of the Top 25 weaknesses, as well as many of the other 800 weaknesses that are documented by CWE.

Finally, many high-level weaknesses from the 2009 list have been replaced with lower-level variants that are moreactionable.

Get your own copy at:  http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.pdf

 

Web Security Dojo

A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
What?
Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v9.10.
Why?

The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started - tools, targets, and documentation.

Where?
Download Web Security Dojo from http://sourceforge.net/projects/websecuritydojo/files/.
How?
To install Dojo you can install and run VirtualBox, then "Import Appliance" using the Dojo's OVF file. Go here for Virtual Box instructions. As of version 1.0 a VMware version is also provided.

Who?
Sponsored by Maven Security Consulting Inc (performing web app security testing & training since 1996
Convenient virtual machine image (VirtualBox recommended, VMware provided)
Targets include:

OWASP's WebGoat v5.2
Damn Vulnerable Web App v1.0.6
Hacme Casino v1.0
OWASP InsecureWebApp v1.0
simple training targets by Maven Security (including REST and JSON)

Tools:

Burp Suite (free version) v1.3
w3af cvs version
OWASP Skavengerv0.6.2a
OWASP Dirbuster v1.0 RC1
Paros v3.2.13
Webscarab v20070504-1631
Ratproxy v1.57-beta
sqlmap v0.7
helpful Firefox add-ons

Upcoming Features:

More tutorials and documentation, including video tutorials
ISO release of live CD version, for direct install to hard drive
More targets
More tools
Enhancements/contributions to existing tools and targets
Debian packages for existing tools and targets to enhance VM creation and collaboration with other projects.
More detailed future changes on SourceForge in the feature request and bug trackers

GET IT AT:  http://sourceforge.net/projects/websecuritydojo/files/