Updates bWAPP v-2.2 and bee-box v-1.6 : an extremely buggy web app.

Updates bWAPP v-2.2 and bee-box v-1.6 : an extremely buggy web app.

———————–
bee-box – Release notes
———————–
v1.6
****
Release date: 2/11/2014
bWAPP version: 2.2
New features:
– Vulnerable Drupal installation (Drupageddon)
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 100 web bugs! It covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project. The focus is not just on one specific issue… bWAPP is covering a wide range of vulnerabilities!

Available on Windows 7, 8, Mac OSX and all Linux Variant

Available on Windows 7, 8, Mac OSX and all Linux Variant

Features
– SQL, HTML, iFrame, SSI, OS Command, PHP, XML, XPath, LDAP and SMTP injections
– Blind SQL injection and Blind OS Command injection
– Boolean-based and time-based Blind SQL injections
– Drupal SQL injection (Drupageddon)
– AJAX and Web Services issues (JSON/XML/SOAP)
– Heartbleed vulnerability (OpenSSL) + detection script included
= Shellshock vulnerability (CGI)
– Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
– phpMyAdmin BBCode Tag XSS
– Cross-Site Request Forgery (CSRF)
– Information disclosures: favicons, version info, custom headers,…
– Unrestricted file uploads and backdoor files
– Old, backup & unreferenced files
– Authentication, authorization and session management issues
– Password and CAPTCHA attacks
– Insecure DistCC, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
– Arbitrary file access with Samba
– Directory traversals and unrestricted file access
– Local and remote file inclusions (LFI/RFI)
– Server Side Request Forgery (SSRF)
– XML External Entity attacks (XXE)
– Man-in-the-Middle attacks (HTTP/SMTP)
– HTTP parameter pollution and HTTP verb tampering
– Denial-of-Service (DoS) attacks: Slow Post, SSL-Exhaustion, XML Bomb,…
– POODLE vulnerability
– BREACH/CRIME/BEAST SSL attacks
– HTML5 ClickJacking and web storage issues
– Insecure iFrame (HTML5 sandboxing)
– Insecure direct object references (parameter tampering)
– Insecure cryptographic storage
– Cross-Origin Resource Sharing (CORS) issues
– Cross-domain policy file attacks (Flash/Silverlight)
– Local privilege escalations: udev, sendpage
– Cookie and password reset poisoning
– Host header attacks: password reset poisoning en cache pollutions
– PHP CGI remote code execution
– Dangerous PHP Eval function
– Local and remote buffer overflows (BOF)
– phpMyAdmin and SQLiteManager vulnerabilities
– Nginx web server vulnerabilities
– HTTP response splitting, unvalidated redirects and forwards
– WSDL SOAP vulnerabilities
– Form-based authentication and No-authentication modes
– Active Directory LDAP integration
– Fuzzing possibilities
– and much more…
– HINT: download our bee-box VM > it has ALL necessary extensions
– bee-box is compatible with VMware and VirtualBox!

Download version :
bee-box_v1.6.7z (1.2 GB) 
bWAPPv2.2.zip (15.1 MB) 
Find Other Version |
Source : http://www.itsecgames.com/