Vicnum: A vulnerable Web App

2,296 views

Published on

A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up \’capture the flag\’ .

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,296
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
27
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Player’s guess need not be unique.
  • Vicnum: A vulnerable Web App

    1. 1. Vicnum –Description Mordecai Kraushar CipherTechs [email_address] Auditor, Trainer Education Project
    2. 2. Vicnum the basics <ul><li>A vulnerable web app using LAMP </li></ul><ul><ul><li>Perl </li></ul></ul><ul><ul><li>PHP </li></ul></ul><ul><li>Packaged as a Ubuntu VMWare guest or as a zip </li></ul><ul><li>Open Source code released in 2009 </li></ul><ul><li>An OWASP project http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project </li></ul><ul><li>Available for download at https://sourceforge.net/projects/vicnum/ </li></ul><ul><li>Online ‘playing’ possible at http://vicnum.ciphertechs.com </li></ul>
    3. 3. Vicnum – the game <ul><li>– Based on a game played to kill time </li></ul><ul><ul><li>You enter your name to start playing the game </li></ul></ul><ul><ul><li>The computer picks a three digit number with unique digits </li></ul></ul><ul><ul><li>Player tries to guess the computer’s number </li></ul></ul><ul><ul><li>Computer remembers its number and the player’s guesses </li></ul></ul><ul><ul><li>For each guess the computer will tell the player: </li></ul></ul><ul><ul><ul><li>“ How many right and how many in the right position” and the number of guesses so far </li></ul></ul></ul><ul><ul><li>Eventually number is guessed and the player is prompted to store their results in a database </li></ul></ul>
    4. 4. Vicnum’s real goal <ul><li>Have fun and generate interest in the field </li></ul><ul><li>A flexible lightweight vulnerable web application useful to auditor’s honing their web app security skills </li></ul><ul><li>Easy to install, easy to grasp </li></ul><ul><li>Easy to modify </li></ul><ul><ul><li>Can be used to test out new hacks and new defenses </li></ul></ul><ul><ul><li>Can be used to test whether a Web VA can detect a vulnerability </li></ul></ul><ul><ul><li>Or whether a Web firewall can protect a vulnerability </li></ul></ul><ul><ul><li>Can be tailored to address different auditor skill sets </li></ul></ul><ul><ul><li>Can be tailored to accommodate different levels of ‘capture the flag’ exercises </li></ul></ul>

    ×