Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
- Testing Web Application Security Scanners
- Testing Static Code Analysis tools (SCA)
- Giving an introductory course to Web Application Security
The motivation for creating this tool came after reading "anantasec-report.pdf" which is included in the release file which you are free to download. The main objective of this tool is to give the community a ready to use testbed for web application security tools. For almost every web application vulnerability that exists in the wild, there is a test script available in moth.
There are three different ways to access the web applications and vulnerable scripts included in moth:
- Through mod_security
- Through PHP-IDS (only if the web application is written in PHP)
Both mod_security and PHP-IDS have their default configurations and they show a log of the offending request when one is found. This is very useful for testing web application scanners, and teaching students how web application firewalls work. The beauty is that a user may access the same vulnerable script using the three methods; which helps a lot in the learning process.
More information about how to use moth will be posted in our blog within the following weeks.
Click here to download moth from sourceforge.