= Changes version 1.2 =
(*) Added 816 Path Traversal / Local File Inclusion test cases.
(*) Added 8 categories of false positive Path Traversal / Local File Inclusion test cases.
(*) Added 108 Remote File Inclusion test cases.
(*) Added 6 categories of false positive Remote File Inclusion test cases.
(*) Replicated 408 Path Traversal test cases to “active-form-action-version” directory,
and altered them to include the action property in forms.
(*) Created a platform for easily implementing test cases for 4+ additional vulnerabilities Open Redirect, Insecure Forward/File Enumeration, Code LFI, Code RFI, etc) – will be implemented in future versions of wavsep (now implemented as false lfi/rfi test cases).
(*) Fixed a few minor spelling issues.
(*) Updated the main index page and several other index pages.
(*) Added documentation on the admin/root permissions required to run wavsep (the tomcat user should be granted permissions on the /db/ folder under tomcat/eclipse root, or root/admin privileges – recommended for better coverage of lfi/rfi test cases).
A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners.
This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners
Note: as of v1.2 – in order to get a full coverage of the path traversal test cases, the tomcat web server must run with admin/root/high privileged OS user account.
Although some of the test cases are vulnerable to additional exposures, the purpose of each test case is to evaluate the detection accuracy of one type of exposure, and thus, “out of scope” exposures should be ignored when evaluating the accuracy of vulnerability scanners.
(@) Use a JRE/JDK that was installed using an offline installation (the online installation caused unknown bugs for some users).
(1) Download & install Apache Tomcat 6.x
(2) Download & install MySQL Community Server 5.5.x (Remember to enable remote root access if not in the same station as wavsep, and to choose a root password that you remember).
(3) Copy the wavsep.war file into the tomcat webapps directory (Usually “C:Program FilesApache Software FoundationTomcat 6.0webapps” – Windows 32/64 Installer)
(4) Restart the application server
(5) On WinXP, as long as you are using a high privileged user – you can skip this phase, on Win7, make sure you run the tomcat server with administrative privileges (right click on and execute),and on Ubuntu Linux, run the following commands:
sudo mkdir /var/lib/tomcat6/db
sudo chown tomcat6:tomcat6 /var/lib/tomcat6/db/
(6) Initiate the install script at: http://localhost:8080/wavsep/wavsep-install/install.jsp
(7) Provide the database host, port and root credentials to the installation script, in additional to customizable wavsep database user credentials.
(8) Access the application at: http://localhost:8080/wavsep/