Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Damn Vulnerable Application Scanner (DVAS) #198

Merged
merged 4 commits into from
Nov 2, 2023
Merged

Damn Vulnerable Application Scanner (DVAS) #198

merged 4 commits into from
Nov 2, 2023

Conversation

gabriele-costa
Copy link
Contributor

DVAS contains a collection of web-based (vulnerable) security scanners, including (but not limited to) the vulnerabilities from "Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners". DVAS also contains a simulation of CVE-2020-7354 and CVE-2020-7355 for Metasploit Pro.

Copy link

github-actions bot commented Nov 2, 2023

The following issues were identified:

Summary
src/data/collection.json invalid
data/20/references/0/name must be equal to one of the allowed values

@kingthorin
Copy link
Contributor

I’m confused is this a target for learning or a tool to scan things?

If the later this is not the place to add it.

@gabriele-costa
Copy link
Contributor Author

Yes, that is quite an unusual perspective :). DVAS is an intentionally vulnerable web scanner that is meant to demonstrate and teach about "responsive" attacks. Basically, when someone makes a scan, she/he might become the target of a counterattack if a vulnerable scanner is used. Understanding this attack scenario is subtle and DVAS comes with an attack tool (called revok) that one can use to see the attack in action. However, the attack should be done manually when the goal is education/awareness.

@psiinon
Copy link
Member

psiinon commented Nov 2, 2023

@gabriele-costa nice research! OK for us (ZAP team) to reference it? If so is that the best URL for us to use?

@psiinon
Copy link
Member

psiinon commented Nov 2, 2023

And any more feedback on your ZAP testing would be appreciated, e.g. details of the 4 tained flows..

@kingthorin kingthorin merged commit 7cca4ab into OWASP:master Nov 2, 2023
1 check passed
@gabriele-costa
Copy link
Contributor Author

@psiinon Thank you! Yes, we would be very glad about that. Here are more details about the attacker model and vulnerabilities we found.

  • Original attack reported in this paper @ RAID
  • Original blog post (by Andrea Valenza) describing the tainted flows in Metasploit Pro
  • Tool paper describing the reconstruction of the tainted flows

Let me know if I can provide further details

@gabriele-costa
Copy link
Contributor Author

And any more feedback on your ZAP testing would be appreciated, e.g. details of the 4 tained flows..

I'm checking this out

@gabriele-costa
Copy link
Contributor Author

And any more feedback on your ZAP testing would be appreciated, e.g. details of the 4 tained flows..

Here we are. We found 4 tainted flows (but no actual vulnerability) with destination in the HTML report exported by ZAP. In particular, the following HTTP response headers were included: X-Powered-By, Location, X-Content-Type, and X-AspNet-Version.
These results refer to tests that were carried out in 2020, thus they might be different now. Also, if I'm not wrong, the reporting system of ZAP might have changed in the meantime. However, since HTML reports can still be exported, RevOK could be used to repeat the experiments. If you are interested, we can provide help and support on this.

@psiinon
Copy link
Member

psiinon commented Nov 2, 2023

Thanks. Any of the authors have twitter accounts I can mention?

@gabriele-costa
Copy link
Contributor Author

Thanks. Any of the authors have twitter accounts I can mention?

Andrea has one https://twitter.com/avalz_

@psiinon
Copy link
Member

psiinon commented Nov 2, 2023

FYI :) https://twitter.com/psiinon/status/1720082608019952083

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants