OWASP BWA 1.1beta1 Released
88 views
Skip to first unread message
Chuck Willis
Jul 11, 2013, 6:45:36 PM7/11/13
to owaspbwa
Hello all,
Last night, I pushed OWASP Broken Web Applications Project VM version 1.1beta1 to SourceForge. This release is now available for download from http://sourceforge.net/projects/owaspbwa/files/1.1beta1/. File names and MD5s are below:
OWASP_Broken_Web_Apps_VM_1.1beta1.zip MD5: e72d972d4cf3542a4242f4529daff7f3
OWASP_Broken_Web_Apps_VM_1.1beta1.7z MD5: 6552a283058ad37a541b7aa817399961
I haven't made this release the "default" download since it is a beta and there are at least a couple known issues (see release notes below). Most of the known bugs are in new applications, so overall even this beta release is an improvement over version 1.0. The size of the VM has grown a bit for this release... I think that is largely due to the addition of a couple Ruby applications and associated code.
The big changes for this release are additions of and updates to several OWASP projects on the VM. I will be reaching out to those projects to try to get them to check for / help me fix bugs, but any help with that is appreciated. The goal is to have the full 1.1 release out by the end of the month (when I will be demonstrating the project at the Black Hat USA Arsenal).
If you notice any issues with the VM, please let us know via the issue tracker on Google Code (preferred - https://code.google.com/p/owaspbwa/issues/list), email to the group here, or email directly to me. Also, please continue to submit (and view) vulnerabilities at http://sourceforge.net/apps/trac/owaspbwa/report/1.
Chuck
Version 1.1beta1 - 2013-07-10
- Added new applications: OWASP 1-liner, OWASP RailsGoat, OWASP Bricks, SpiderLabs "Magical Code Injection Rainbow", Cyclone
- Updated Mutillidae (name, version, and to use new SVN repository)
- Updated DVWA to new Git repository
- Added SSL support to web server
- Updated ModSecurity and updated Core Rule Set to current in Git
- Known issues:
o ModSecurity CRS blocking does not work
o OWASP 1-liner application appears to have functional issues (it was heavily modified to run on the VM through Apache)
o Other new applications have not been fully tested
o User Guide has not been updated
Last night, I pushed OWASP Broken Web Applications Project VM version 1.1beta1 to SourceForge. This release is now available for download from http://sourceforge.net/projects/owaspbwa/files/1.1beta1/. File names and MD5s are below:
OWASP_Broken_Web_Apps_VM_1.1beta1.zip MD5: e72d972d4cf3542a4242f4529daff7f3
OWASP_Broken_Web_Apps_VM_1.1beta1.7z MD5: 6552a283058ad37a541b7aa817399961
I haven't made this release the "default" download since it is a beta and there are at least a couple known issues (see release notes below). Most of the known bugs are in new applications, so overall even this beta release is an improvement over version 1.0. The size of the VM has grown a bit for this release... I think that is largely due to the addition of a couple Ruby applications and associated code.
The big changes for this release are additions of and updates to several OWASP projects on the VM. I will be reaching out to those projects to try to get them to check for / help me fix bugs, but any help with that is appreciated. The goal is to have the full 1.1 release out by the end of the month (when I will be demonstrating the project at the Black Hat USA Arsenal).
If you notice any issues with the VM, please let us know via the issue tracker on Google Code (preferred - https://code.google.com/p/owaspbwa/issues/list), email to the group here, or email directly to me. Also, please continue to submit (and view) vulnerabilities at http://sourceforge.net/apps/trac/owaspbwa/report/1.
Chuck
Version 1.1beta1 - 2013-07-10
- Added new applications: OWASP 1-liner, OWASP RailsGoat, OWASP Bricks, SpiderLabs "Magical Code Injection Rainbow", Cyclone
- Updated Mutillidae (name, version, and to use new SVN repository)
- Updated DVWA to new Git repository
- Added SSL support to web server
- Updated ModSecurity and updated Core Rule Set to current in Git
- Known issues:
o ModSecurity CRS blocking does not work
o OWASP 1-liner application appears to have functional issues (it was heavily modified to run on the VM through Apache)
o Other new applications have not been fully tested
o User Guide has not been updated
Abhi M Balakrishnan
Jul 14, 2013, 1:05:26 PM7/14/13
to owas...@googlegroups.com
Hello Chuck,
Glad to see that OWASP Bricks has been included in BWA. Just downloaded and tested the new release and it looks neat. Planning to make some videos based on it in coming days.
Wishing you all the very best for BlackHat USA Arsenal.
Regards,
~ Abhi M
Chuck Willis
Jul 14, 2013, 9:40:17 PM7/14/13
to owas...@googlegroups.com
Thanks for the feedback. I tested the application a bit and it seemed to be working ok, but I'm not too familiar with how it is supposed to work. If there are any bugs, feel free to let me know.
I believe that I had to modify some path separators (\ to /) in a few places to make things work on the VM. Let me know if you'd like me to track down exactly where I made those changes, but I think that you would find them by doing a recursive diff comparing what is on the VM with your most recent release.
I couldn't find a public source repository for the project. Let me know if I missed it and I can pull the code from that, which will make future updates easier.
Chuck
I believe that I had to modify some path separators (\ to /) in a few places to make things work on the VM. Let me know if you'd like me to track down exactly where I made those changes, but I think that you would find them by doing a recursive diff comparing what is on the VM with your most recent release.
I couldn't find a public source repository for the project. Let me know if I missed it and I can pull the code from that, which will make future updates easier.
Chuck
--
You received this message because you are subscribed to the Google Groups "owaspbwa" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owaspbwa+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Abhi M Balakrishnan
Jul 15, 2013, 12:44:19 PM7/15/13
to owas...@googlegroups.com
Did not found any issues with the BWA release till now ( other than mentioned in the release notes). Will let you know of I manage to find any.
As for the source code repository, I have set up one on Google Code by your request. https://code.google.com/p/owaspbricks/source/browse/#svn%2Ftrunk
Let me know if you need any further information, will be more than happy to help.
Cheers!
Abhi M
repti...@gmail.com
Jul 22, 2013, 12:17:46 AM7/22/13
to owas...@googlegroups.com
Hello Chuck;
Do you know where I can get a detailed guide on pen testing the applications on BWA?
ri
Abhi M Balakrishnan
Jul 22, 2013, 9:03:33 AM7/22/13
to owas...@googlegroups.com
Each application has their own videos, tutorials etc. on their respective/related websites.
For example,
Webgoat has videos and instructions from YGN Ethical Hacker Group
Mutillidae has many tutorial videos on their Youtube channel: webpwnized
OWASP Bricks has got many tutorials on their website/Youtube channel
This list is also a good reference: http://sourceforge.net/apps/trac/owaspbwa/report/1
Reply all
Reply to author
Forward
0 new messages