OWASP Benchmark Project

[andresriancho]

Scan OWASP Benchmark Project using w3af, find false positives and negatives, improve.

[Sergy123]

Hi. I'm trying to scan remote OWASP Benchmark with w3af (ubuntu 14.04). It looks like it doesn't find any actual vulnerability so far except "blank http response body" and "DAV incorrect configuration". Could you give me any suggestions how to scan it properly?

[andresriancho]

I haven't tried scanning it myself. Could you please add these to the ticket?

• Scan configuration
• Scan log with debugging information

[Sergy123]

Scan configuration:
-VMWare Workstation 12 player(Ubuntu 14.04 LTS, RAM 4 GB, 2 Cores)
-VMWare Workstation 12 player(Remote Owasp Benchmark, RAM 4 GB, 2 Cores)
It was not easy to install all dependencies and there is no clear instructions on the web either, but it seems to be working.

Scanner itself is extremely slow comparing to Zap, Arachni and Skip Fish.
And again, could you please produce step by step instructions on how to install the W3AF on Ubuntu or Kali? (whatever version you prefer)
Please see attached scan report.
Owasp .log

[andresriancho]

Running my own OWASP benchmark using:

docker run -i -p 8443:8443 owasp/benchmark

Using latest w3af from develop to scan the target using this script which scans for blind SQL injection only in a subset of the tests:

plugins
output console,text_file
output config text_file
set output_file output-w3af.txt
set verbose True
back
output config console
set verbose False
back

audit sqli, blind_sqli

crawl web_spider
crawl config web_spider
set follow_regex .*/benchmark/sqli-00/.*
back
back

target
set target https://localhost:8443/benchmark/sqli-Index.html
back

start

exit

And got at least two findings before I stopped the scan:

Blind SQL injection was found at: "https://localhost:8443/benchmark/sqli-00/BenchmarkTest00025", using HTTP method POST. The injectable parameter is: "BenchmarkTest00025". This vulnerability was found in the requests with ids 1351 and 1378.

Blind SQL injection was found at: "https://localhost:8443/benchmark/sqli-00/BenchmarkTest00431", using HTTP method POST. The injectable parameter is: "BenchmarkTest00431". This vulnerability was found in the requests with ids 7084 and 7115.

Something I noticed in this benchmark application is that they mix SQL injection tests with crawling / JS parsing, for example in order to detect this vulnerability the scanner needs to have a JS engine:

https://localhost:8443/benchmark/sqli-00/BenchmarkTest00342.html?BenchmarkTest00342=SafeText

Since w3af doesn't have that, it will fail to find the SQL injection.

[Sergy123]

I haven't been trying to run it via docker. My OS is ubuntu 14.04 LTS Please find attached a link with debug file: https://drive.google.com/open?id=1BsAK9Ip3WkaB41I2XbK_IPVtQz8lpzKH

…

On 3 January 2018 at 18:29, Andres Riancho ***@***.***> wrote: Running my own OWASP benchmark using: docker run -i -p 8443:8443 owasp/benchmark Using latest w3af from develop to scan the target using this script which scans for blind SQL injection only in a subset of the tests: # webspider plugins output console,text_file output config text_file set output_file output-w3af.txt set verbose True back output config console set verbose False back audit sqli, blind_sqli crawl web_spider crawl config web_spider set follow_regex .*/benchmark/sqli-00/.* back back target set target https://localhost:8443/benchmark/sqli-Index.html back start exit And got at least two findings before I stopped the scan: Blind SQL injection was found at: "https://localhost:8443/benchmark/sqli-00/BenchmarkTest00025", using HTTP method POST. The injectable parameter is: "BenchmarkTest00025". This vulnerability was found in the requests with ids 1351 and 1378. Blind SQL injection was found at: "https://localhost:8443/benchmark/sqli-00/BenchmarkTest00431", using HTTP method POST. The injectable parameter is: "BenchmarkTest00431". This vulnerability was found in the requests with ids 7084 and 7115. Something I noticed in this benchmark application is that they mix SQL injection tests with crawling / JS parsing, for example in order to detect this vulnerability the scanner needs to have a JS engine: https://localhost:8443/benchmark/sqli-00/BenchmarkTest00342.html? BenchmarkTest00342=SafeText Since w3af doesn't have that, it will fail to find the SQL injection. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#13298 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AgBULXZLyy5aaxK6GFpTlbThNyr0ef1-ks5tG8bugaJpZM4G-Wqh> .

[andresriancho]

Lets start from something that we both know works: Does the scan I run work for you?

[Sergy123]

it works and it has been running for an hour. Vulnerabilities I'm getting are like: ``` [Wed 03 Jan 2018 01:20:27 PM PST - vulnerability] The URL: " https://192.168.10.150:8443/benchmark/sqli-00/BenchmarkTest00509.html" returned an empty body, this could indicate an application error.This information was found in the request with id 25825. [Wed 03 Jan 2018 01:20:48 PM PST - error] The os_commanding plugin got an error while requesting " https://192.168.10.150:8443/benchmark/sqli-00/BenchmarkTest00328.html?BenchmarkTest00328=SafeText". Reason: "Unexpected EOF" [Wed 03 Jan 2018 01:21:20 PM PST - vulnerability] The URL: " https://192.168.10.150:8443/benchmark/sqli-00/BenchmarkTest00202.html" returned an empty body, this could indicate an application error.This information was found in the request with id 26209. [Wed 03 Jan 2018 01:22:07 PM PST - vulnerability] The URL: " https://192.168.10.150:8443/benchmark/sqli-00/BenchmarkTest00200.html" returned an empty body, this could indicate an application error.This information was found in the request with id 26561. [Wed 03 Jan 2018 01:23:07 PM PST - vulnerability] The URL: " https://192.168.10.150:8443/benchmark/sqli-00/BenchmarkTest00198.html" returned an empty body, this could indicate an application error.This information was found in the request with id 27018. [Wed 03 Jan 2018 01:23:51 PM PST - vulnerability] The URL: " https://192.168.10.150:8443/benchmark/sqli-00/BenchmarkTest00201.html" returned an empty body, this could indicate an application error.This information was found in the request with id 27420. [Wed 03 Jan 2018 01:23:59 PM PST - error] The xss plugin got an error while requesting " https://192.168.10.150:8443/benchmark/sqli-00/BenchmarkTest00201.html?BenchmarkTest00201=zhg0v%20=zhg0v". Reason: "Unexpected EOF" [Wed 03 Jan 2018 01:23:59 PM PST - error] The xss plugin got an error while requesting " https://192.168.10.150:8443/benchmark/sqli-00/BenchmarkTest00201.html?BenchmarkTest00201=xms5t'xms5t". Reason: "Unexpected EOF" ```

…

On 3 January 2018 at 20:07, Andres Riancho ***@***.***> wrote: Lets start from something that we both know works: Does the scan I run work for you? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#13298 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AgBULTztU85jFAIZ7b-eOgjFyJg_1zkCks5tG94CgaJpZM4G-Wqh> .

[andresriancho]

Those are not vulnerabilities, they are errors.

[Sergy123]

So I tried a set up you advised but still getting errors. I'm not using docker and scanning remote Benchmark. Most probably something going is wrong with my w3af installation, since I was able to scan and find vulnerabilities with zap, arachni and skiptish before

…

On 3 Jan 2018 21:45, "Andres Riancho" ***@***.***> wrote: Those are not vulnerabilities, they are errors. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#13298 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AgBULWsZ1Qi_pU-zcMFm4SagU0YkBEQ6ks5tG_TbgaJpZM4G-Wqh> .