Re: [Full-disclosure] Vulnerable test application: Simple Web Server (SWS)

[Strykar]

Very interesting, been a while on here now.
Downloading as I speak.. will post a follow-up.


- S

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:full-
> [EMAIL PROTECTED] On Behalf Of Gadi Evron
> Sent: Monday, September 10, 2007 11:36 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Cc: full-disclosure@lists.grok.org.uk; code-
> [EMAIL PROTECTED]
> Subject: [Full-disclosure] Vulnerable test application: Simple Web
> Server (SWS)
> 
> Every once in a while (last time a few months ago) someone emails one
> of
> the mailing lists about searching for an example binary, mostly for:
> 
> - Reverse engineering for vulnerabilities, as a study tool.
> - Testing fuzzers
> 
> Some of these exist, but I asked my employer, Beyond Security, to
> release
> our test application, specific for testing fuzzing (built for the
> beSTORM
> fuzzer). They agreed to release the HTTP version, following their
> agreement to release our ANI XML specification.
> 
> The GUI allows you to choose what port your want to run it on, as well
> as
> which vulnerabilities should be "active".
> 
> It is called Simple Web Server or SWS, and has the following
> vulnerabilities:
> 
> 1. Off-By-One in Content-Length (Integer overflow/malloc issue)
> 2. Overflow in User-Agent
> 3. Overflow in Method
> 4. Overflow in URI
> 5. Overflow in Host
> 6. Overflow in Version
> 7. Overflow in complete packet
> 8. Off By One in Receive function (linefeed/carriage return issue)
> 9. Overflow in Authorization Type
>10. Overflow in Base64 decoded
>11. Overflow in Username of authorization
>12. Overflow in Password of authorization
>13. Overflow in Body
>14. Cross site scripting
> 
> It can be found on Beyond Security's website, here:
> http://www.beyondsecurity.com/sws_overview.html
> 
> Thanks,
> 
> Gadi Evron.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vulnerable test application: Simple Web Server (SWS)

[Gadi Evron]

Every once in a while (last time a few months ago) someone emails one of 
the mailing lists about searching for an example binary, mostly for:

- Reverse engineering for vulnerabilities, as a study tool.
- Testing fuzzers

Some of these exist, but I asked my employer, Beyond Security, to release 
our test application, specific for testing fuzzing (built for the beSTORM 
fuzzer). They agreed to release the HTTP version, following their 
agreement to release our ANI XML specification.

The GUI allows you to choose what port your want to run it on, as well as 
which vulnerabilities should be "active".

It is called Simple Web Server or SWS, and has the following 
vulnerabilities:

1. Off-By-One in Content-Length (Integer overflow/malloc issue)
2. Overflow in User-Agent
3. Overflow in Method
4. Overflow in URI
5. Overflow in Host
6. Overflow in Version
7. Overflow in complete packet
8. Off By One in Receive function (linefeed/carriage return issue)
9. Overflow in Authorization Type
   10. Overflow in Base64 decoded
   11. Overflow in Username of authorization
   12. Overflow in Password of authorization
   13. Overflow in Body
   14. Cross site scripting

It can be found on Beyond Security's website, here:
http://www.beyondsecurity.com/sws_overview.html

Thanks,

Gadi Evron.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/