RandomStorm acquire DVWA
RandomStorm have acquired Damn Vulnerable Web App (DVWA) :)
RandomStorm showed their interest in DVWA and wanted to help the project grow. After some weeks of talks we have settled on an agreement which I believe will benefit the DVWA project immensely.
What do RandomStorm do?
RandomStorm was formed in 2007 to provide a proactive vulnerability management service for companies and organisations that take network security seriously and need to demonstrate maximum due diligence in protecting personal and corporate information.
Open Source Web Application Scanner Poll Results
I started a poll last week on the 1st of December tittled ‘Open Source Web Application Vulnerability Scanners’. The aim of this poll was to gain feedback from as many people in the security community as possible to find out which was their preferred open source web application vulnerability scanner, what they preferred about it and what they would improve about their favorite scanner. The poll has run for almost 7 days. The poll link was posted on Twitter (via my Twitter account), on this blog and on www.ethicalhacker.net.
The total number of submissions was 32 however there were some anomalies in the data mainly due to my own fault. I had originally included Burp Suite, I had confused their free version with it being open source, it turns out this is not the case. I also had submissions from application developers, I did not state that I wouldn’t be counting their votes however I believe it fairer if we didn’t. After taking out the votes for Burp Suite (3 before removing the option), the submissions from application developers (2) and submissions for other commercial scanners (2), it left us with a total of 25 submissions.
Open Source Web Application Scanner Poll
I am trying to find out from the community which open source web application scanners they use and why. Please take the poll, once, and answer honestly. Thank you! ;)
http://spreadsheets.google.com/viewform?formkey=dFNpQmNfUWx4UEFicW0wQXlZTFQyV0E6MA
Netsparker – The next gen web app scanner
I was lucky enough to get my greasy hands on a copy of ‘Netsparker Final BETA’ from Mavituna Security’s project leader Ferruh Mavituna.
Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology it’s built on, just like an actual attacker. It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more.
I tested Netsparker v0.9.9.9935 (FINAL BETA) against DVWA v1.0.6. Setting up a new scan was as easy as putting in the DVWA URL, adding the security/PHPSESSID cookies and then selecting the different vulnerabilities to scan for. Netsparker picked up on almost all of DVWA’s vulnerabilities, even the SQL Injection vulnerability which a lot of web application scanners have problems picking up for some reason. The vulnerabilities that it did not pick up on I sent in an email to Ferruh, he has already added scans for some of these and will implement others in future.
DVWA v1.0.5 coming soon…
DVWA v1.0.5 will be released in the near future sporting many changes including more vulnerabilities and features.
Since version 1.0.4 we have a bigger open source community which have pushed DVWA to a whole new level, with out them the project couldn’t be what it is today.
DVWA v1.0.5 change log:
Complete re-code.
Complete re-design.
CSRF vulnerability.
Stored XSS vulnerability.
Full Path Disclosure vulnerability.
Login page.
Sessions.
Many bug fixes.
PHPIDS implementation.
+ much more
