bWAPP Scan
402 views
Skip to first unread message
Stefan
Dec 5, 2021, 4:50:40 AM12/5/21
to OWASP ZAP User Group
Is there a benchmark against bwapp?
After my scan, OWASP ZAP could not find any SQL injection ...
And despite authentication, it was not possible for zap to crawl the sub-pages of bWAPP
I solved this problem by importing the approx. 140 URLs, but it still doesn't find any SQL injection ...
Opposite "Arachni" (14 SQL Injections)
Can these results be true? Has anyone already experienced it?
Stefan
Dec 5, 2021, 4:52:18 AM12/5/21
to OWASP ZAP User Group
Alert typeRiskCount
Cross Site Scripting (DOM Based)
High
14
(0.6%)Cross Site Scripting (Reflected)
High
1
(0.0%)Path Traversal
High
2
(0.1%)Application Error Disclosure
Medium
54
(2.2%)Directory Browsing
Medium
6
(0.2%)Vulnerable JS Library
Medium
1
(0.0%)X-Frame-Options Header Not Set
Medium
141
(5.9%)Absence of Anti-CSRF Tokens
Low
207
(8.6%)Application Error Disclosure
Low
1
(0.0%)Cookie No HttpOnly Flag
Low
5
(0.2%)Cookie without SameSite Attribute
Low
8
(0.3%)Private IP Disclosure
Low
2
(0.1%)Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
Low
242
(10.1%)Timestamp Disclosure - Unix
Low
1491
(62.1%)X-Content-Type-Options Header Missing
Low
199
(8.3%)Content-Type Header Missing
Informational
10
(0.4%)Information Disclosure - Sensitive Information in URL
Informational
6
(0.2%)Information Disclosure - Suspicious Comments
Informational
12
(0.5%)Total
2402
Simon Bennetts
Dec 6, 2021, 3:46:22 AM12/6/21
to OWASP ZAP User Group
No, we dont have any benchmarks for running ZAP against bWAPP (and against a load of other vulnerable apps) but we would love to have them :)
So help with that would be much appreciated.
Did you try the ajax spider as well as the standard spider?
How many URLs did each of them find?
Did you check that authentication was working with the spiders?
Cheers,
Simon
Stefan
Dec 6, 2021, 4:53:27 AM12/6/21
to OWASP ZAP User Group
Thanks for the fast respond! Here is a scan with Ajax Spider + authentication
The possible URLs with vulnerabilities are in the file "bugs.txt"
The URLs found are in the "AJAXSCAN.csv" file
Maybe it has to do with how the bWAPP website is structured !?
In order to get to a website with a vulnerability within bwapp, you must first press the vulnerability and then a button "bwapp1" selection bwapp2 website with weak points
Or I make a mistake somewhere but the output also tells me:
"Authentication successful.
Authentication successful.
Authentication successful.
Authentication successful.
Authentication successful.
Authentication successful. "
In order to get to a website with a vulnerability within bwapp, you must first press the vulnerability and then a button "bwapp1" selection bwapp2 website with weak points
Or I make a mistake somewhere but the output also tells me:
"Authentication successful.
Authentication successful.
Authentication successful.
Authentication successful.
Authentication successful.
Authentication successful. "
Simon Bennetts
Dec 6, 2021, 6:57:57 AM12/6/21
to OWASP ZAP User Group
Why do people design Web UIs like this??
Thats a retorical question, I dont expect you to answer it ;)
OK, so that makes the site very difficult for automated tools to explore.
Importing the list of URLs is one option, but you should spider them afterwards in order to pick up any URL params and submit forms.
Another option would be to write a custom selenium script to select each vuln in turn and click the relevant button.
I would raise an issue on this project but it looks like its not been updated since 2014 so probably not much point?
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages