Damn Vulnerable Application Scanner (DVAS)

[gabriele-costa]

DVAS contains a collection of web-based (vulnerable) security scanners, including (but not limited to) the vulnerabilities from "Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners". DVAS also contains a simulation of CVE-2020-7354 and CVE-2020-7355 for Metasploit Pro.

[github-actions[bot]]

The following issues were identified:

Summary

``` src/data/collection.json invalid data/20/references/0/name must be equal to one of the allowed values ```

[kingthorin]

I’m confused is this a target for learning or a tool to scan things?

If the later this is not the place to add it.

[gabriele-costa]

Yes, that is quite an unusual perspective :). DVAS is an intentionally vulnerable web scanner that is meant to demonstrate and teach about "responsive" attacks. Basically, when someone makes a scan, she/he might become the target of a counterattack if a vulnerable scanner is used. Understanding this attack scenario is subtle and DVAS comes with an attack tool (called revok) that one can use to see the attack in action. However, the attack should be done manually when the goal is education/awareness.

[psiinon]

@gabriele-costa nice research! OK for us (ZAP team) to reference it? If so is that the best URL for us to use?

[psiinon]

And any more feedback on your ZAP testing would be appreciated, e.g. details of the 4 tained flows..

[gabriele-costa]

@psiinon Thank you! Yes, we would be very glad about that. Here are more details about the attacker model and vulnerabilities we found.

• Original attack reported in this paper @ RAID
• Original blog post (by Andrea Valenza) describing the tainted flows in Metasploit Pro
• Tool paper describing the reconstruction of the tainted flows

Let me know if I can provide further details

[gabriele-costa]

And any more feedback on your ZAP testing would be appreciated, e.g. details of the 4 tained flows..

I'm checking this out

[gabriele-costa]

And any more feedback on your ZAP testing would be appreciated, e.g. details of the 4 tained flows..

Here we are. We found 4 tainted flows (but no actual vulnerability) with destination in the HTML report exported by ZAP. In particular, the following HTTP response headers were included: X-Powered-By, Location, X-Content-Type, and X-AspNet-Version. These results refer to tests that were carried out in 2020, thus they might be different now. Also, if I'm not wrong, the reporting system of ZAP might have changed in the meantime. However, since HTML reports can still be exported, RevOK could be used to repeat the experiments. If you are interested, we can provide help and support on this.

[psiinon]

Thanks. Any of the authors have twitter accounts I can mention?

[gabriele-costa]

Thanks. Any of the authors have twitter accounts I can mention?

Andrea has one https://twitter.com/avalz_

[psiinon]

FYI :) https://twitter.com/psiinon/status/1720082608019952083