[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Vulnerable test application: Simple Web Server (SWS)

To: "'Gadi Evron'" <ge@xxxxxxxxxxxx>, <pen-test@xxxxxxxxxxxxxxxxx>, <fuzzing@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Vulnerable test application: Simple Web Server (SWS)
From: "Strykar" <str@xxxxxxxxxxxxxxx>
Date: Mon, 10 Sep 2007 20:11:52 +0530

Very interesting, been a while on here now.
Downloading as I speak.. will post a follow-up.


- S

> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
> disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Gadi Evron
> Sent: Monday, September 10, 2007 11:36 AM
> To: pen-test@xxxxxxxxxxxxxxxxx; fuzzing@xxxxxxxxxxxxxxxxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx; code-
> crunchers@xxxxxxxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Vulnerable test application: Simple Web
> Server (SWS)
> 
> Every once in a while (last time a few months ago) someone emails one
> of
> the mailing lists about searching for an example binary, mostly for:
> 
> - Reverse engineering for vulnerabilities, as a study tool.
> - Testing fuzzers
> 
> Some of these exist, but I asked my employer, Beyond Security, to
> release
> our test application, specific for testing fuzzing (built for the
> beSTORM
> fuzzer). They agreed to release the HTTP version, following their
> agreement to release our ANI XML specification.
> 
> The GUI allows you to choose what port your want to run it on, as well
> as
> which vulnerabilities should be "active".
> 
> It is called Simple Web Server or SWS, and has the following
> vulnerabilities:
> 
>     1. Off-By-One in Content-Length (Integer overflow/malloc issue)
>     2. Overflow in User-Agent
>     3. Overflow in Method
>     4. Overflow in URI
>     5. Overflow in Host
>     6. Overflow in Version
>     7. Overflow in complete packet
>     8. Off By One in Receive function (linefeed/carriage return issue)
>     9. Overflow in Authorization Type
>    10. Overflow in Base64 decoded
>    11. Overflow in Username of authorization
>    12. Overflow in Password of authorization
>    13. Overflow in Body
>    14. Cross site scripting
> 
> It can be found on Beyond Security's website, here:
> http://www.beyondsecurity.com/sws_overview.html
> 
> Thanks,
> 
> Gadi Evron.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Vulnerable test application: Simple Web Server (SWS)
  - From: Gadi Evron

Prev by Date: Re: [Full-disclosure] Came across this site
Next by Date: Re: [Full-disclosure] n3td3v denounces the actions of www.derangedsecurity.com
Previous by thread: [Full-disclosure] Vulnerable test application: Simple Web Server (SWS)
Next by thread: [Full-disclosure] [SECURITY] [DSA 1370-1] New phpmyadmin packages fix several vulnerabilities
Index(es):
- Date
- Thread