Re: Need a real Java web application with vulnerabilities

[Marc-André Laverdière <marc-andre () atc tcs com>]

You can have a try at Securibench. Some of the apps in there don't run without 
some serious armtwisting though, but its good enough for manual review and 
static analysis.

Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India

On Monday 08 March 2010 02:15 PM, Holger Peine wrote:
> Hello,
>
> I have a student who wants to perform a mostly manual security review
> of some Java web application as his master's thesis work. I am well
> aware of pedagogical, deliberately insecure applications like Webgoat
> and many others. However, we need a real application for this:
>
> - Real code, since the job should create a realistic experience for
>    the student, and the results should not be readily available
>    in advance (as with Webgoat etc.)
>
> - Open source, so that source code review is possible, too
>
> - Containing some vulnerabilities (so that the review will not be
>    too frustrating)
>
> - Medium-sized, to give a student (who has some beginner knowledge
>    of web security) maybe two months of review work (the rest of his
>    time will go into understanding web securty review and testing
>    techniques and into writing up)
>
> - Written in Java (e.g. not PHP), since this is the only language
>    the student is sufficiently proficient in.
>
> I was thinking that an early version of some open source application
> such as a CMS might be a good candidate(?)
>
> I'm hoping for your suggestions,
> Holger Peine



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------