Skip to content

Latest commit

 

History

History
419 lines (269 loc) · 8.08 KB

release_notes.md

File metadata and controls

419 lines (269 loc) · 8.08 KB

bWAPP - Release notes

v2.2

Release date: 2/11/2014

Number of bugs: > 100

New bugs:

  • Insecure iFrame (Login Form)

New bugs exploitable on bee-box v1.6:

  • Drupal SQL Injection (Drupageddon)
  • POODLE Vulnerability
  • SQLiteManager Local File Inclusion

v2.1

Release date: 27/09/2014

Number of bugs: > 100

New bugs:

  • Base64 Encoding (Secret)
  • Broken Authentication - CAPTCHA Bypassing
  • Cross-Site Scripting - Stored (User-Agent)
  • iFrame Injection
  • SQL Injection - Stored (User-Agent)

New bugs exploitable on bee-box v1.5:

  • Shellshock Vulnerability (CGI)

v2.0

Release date: 12/05/2014

Number of bugs: > 90

New bugs:

  • Cross-Site Scripting - Reflected (Login Form)
  • SQL Injection (AJAX/JSON/jQuery)
  • SQL Injection (POST/Select)
  • SQL Injection (Login Form/User)
  • SQL Injection (SQLite)
  • SQL Injection - Stored (SQLite)
  • SQL Injection - Blind - Time-Based
  • SQL Injection - Blind (SQLite)

New bugs exploitable on bee-box v1.4:

  • BEAST/CRIME/BREACH Attacks
  • Buffer Overflow (Local)
  • Buffer Overflow (Remote)
  • Denial-of-Service (Large Chunk Size)
  • Denial-of-Service (SSL-Exhaustion)
  • Local Privilege Escalation (sendpage)
  • phpMyAdmin BBCode Tag XSS
  • SQLiteManager PHP Code Injection
  • SQLiteManager XSS
  • SSL 2.0 Deprecated Protocol

Modifications:

  • Google fonts are stored locally

New features:

  • A.I.M. subnet functionality
  • bWAPP is licensed under Creative Commons (Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International)

v1.9+

Release date: 19/04/2014

Number of bugs: > 70

New bugs exploitable on bee-box v1.3:

  • Heartbleed Vulnerability (OpenSSL)
  • Insecure SNMP configuration

Modifications:

  • Blog entries per user ('Show all' and 'Delete' entry options)
  • bWAPP reset functionality only available for users with admin privileges

New features:

  • Custom CSS stylesheet for low resolution screens (stylesheet_low_resolution.css)

v1.9

Release date: 11/03/2014

Number of bugs: > 70

New bugs:

  • Broken Authentication - Weak Passwords
  • Command Injection - Blind
  • Cross-Site Scripting - Reflected (Custom HTTP Header)
  • Cross-Site Scripting - Stored (Change Secret)
  • Denial-of-Service (XML Bomb)
  • Host Header Attack (Cache Poisoning)
  • Host Header Attack (Reset Poisoning)
  • Insecure Direct Object References (Reset Secret)
  • Old, Backup & Unreferenced Files
  • PHP Code Injection
  • Server Side Request Forgery (SSRF)
  • SQL Injection (Search/POST)
  • SQL Injection (Search/CAPTCHA)
  • SQL Injection - Stored (Blog)
  • SQL Injection - Stored (XML)
  • Unvalidated Redirects & Forwards (2)
  • XML External Entity Attacks (XXE)

New features:

  • Evil 666 Fuzzing page
  • Evil Bug Mode, all security levels are bypassed in this mode by using a fixed cookie
  • Insecure Client Access Policy file (Silverlight)
  • Manual Intervention Required! page
  • We Steal Secrets... pages

Modifications:

  • Possibility to exclude 'dangerous' files in the A.I.M. mode
  • The database connection settings are moved to the 'admin/settings.php' file

v1.8

Release date: 15/12/2013

Number of bugs: > 65

New bugs:

  • SQL Injection - Blind (Web Services/SOAP)

New bugs exploitable on bee-box v1.2:

  • Insecure FTP
  • Insecure WebDAV
  • PHP CGI Remote Code Execution
  • Server-Side Includes Injection

New features:

  • NSA backdoor file
  • Unprotected Admin Portal > a shortcut to the 'settings' file
  • WSDL file (Web Services/SOAP)

Bug fixes:

  • Issue with 'Restrict Folder Access'
  • Issue with 'Session ID in URL'

Modifications:

  • A.I.M. feature > list of IP addresses
  • Unrestricted File Upload > unsafe black-list in security level medium
  • table 'movies' > extra column: tickets_stock

v1.7

Release date: 31/10/2013

Number of bugs: > 60

New bugs:

  • HTTP Verb Tampering
  • Server Side Request Forgery (SSRF)
  • Session ID in URL
  • XSS - Reflected (AJAX/JSON)
  • XSS - Reflected (AJAX/XML)

New features:

  • A.I.M., a no-authentication mode for testing web scanners and crawlers
  • Settings file, used for general application settings
  • OWASP & ZAP logo

New bugs exploitable on bee-box:

  • Local Privilege Escalation (udev)

Modifications:

  • Rearrangement to OWASP Top 10 2013
  • Added some new movies :)
  • Introduction text

v1.6

Release date: 5/10/2013

Number of bugs: > 60

New features:

  • Cross-Origin Resource Sharing (AJAX)
  • Information Disclosure - Favicon

New features exploitable on bee-box:

  • Arbitrary File Access (Samba)
  • Cross-Site Tracing (XST)
  • Denial-of-Service (Slow HTTP DoS)

Modifications:

  • Addition of an insecure jQuery script

v1.5

Release date: 09/09/2013

Number of bugs: > 55

New features:

  • ClickJacking (Movie Tickets)
  • Cross-Domain Policy File
  • Cross-Site Scripting - Reflected (HREF)
  • Cross-Site Scripting - Reflected (PHP_SELF)
  • HTML5 Web Storage (Secret)
  • HTTP Parameter Pollution
  • Insecure Direct Object References (Price)

Bug fixes:

  • Input validations and error handling
  • XSS issues :)

Modifications:

  • SQL Injection (Login) > welcome message has changed
  • New vulnerable XSS validation check (medium level)
  • test.php file > extra urldecode function

v1.4

Release date: 15/07/2013

Number of bugs: > 50

New features:

  • LDAP Injection
  • Client-Side Validation (Password)
  • PHP Eval Function
  • Remote and Local File Inclusion
  • Unsecure files: phpinfo.php, config.inc, test.php
  • Integration with bee-box (Ubuntu OS)

Bug fixes:

  • Input validations and error handling

Modifications:

  • Bugs are rearranged according to the OWASP Top 10 project (A1>A10)
  • Creation of users without e-mail activation
  • New hero table with passwords in clear text
  • SQL Injection (Login) > applied to the new hero table

v1.3

Release date: 20/01/2013

Number of bugs: 47

New features:

  • SQL Injection (Select)
  • Broken Authentication - Forgotten Function
  • Broken Authentication - Password Attacks
  • Authorization Testing - Restrict Folder Access

Bug fixes:

  • HTML5 issues

Modifications

  • Better compatibility with IE9
  • Stylesheet modifications

v1.2

Release date: 17/01/2013

New features:

  • Cross-Site Scripting - Stored (Cookies)
  • Cross-Site Request Forgery (Secret)
  • Insufficient Transport Layer Protection
  • Security Misconfiguration - MiTM (HTTP)
  • Security Misconfiguration - MiTM (SMTP)
  • Security Misconfiguration - Robots
  • Information Disclosure - Robots
  • Insecure Directory Object References (Secret)
  • Session Management - Cookies (Secure)
  • Session Management - Strong Sessions

Bug fixes:

  • CSRF: code optimization and error handling
  • Cookie 'security_level' is vulnerable for injection

Modifications

  • Name change: Session Management - Cookie Security >> Session Management - Cookies (HTTPOnly)
  • Name change: Cross-Site Scripting - Stored >> Cross-Site Scripting - Stored (Blog)

v1.1

New features:

  • HTML Injection - Reflected (Current URL)
  • Cross-Site Scripting - Reflected (Back Button)
  • XML and XPath Injection (Login)
  • XML and XPath Injection (Search)

Bug fixes:

  • Directory traversal: wrong directory in GET parameter (images/ is changed to documents/)

v1.01

New features:

  • none

Bug fixes:

  • bug fixes for the Apache platform
    • PHP session errors
    • connection setting issues ('localhost:3306' not valid)
    • time period for the 'security_level' cookie has changed to 1 year

v1.0

  • extra SQL user: bee/bug
  • e-mail modifications
    • recipient/sender addresses change

v0.15

  • Layout
  • Code optimization
  • New 'Info' page

v0.14

  • Layout
  • Code optimization

v0.13

  • Code optimization
  • Modifications:
    • XSS & HTML Injection Stored
      • No 'HTML entities check' in the SQL insert statement
      • 'HTML entities check' in the HTML output
  • New:
    • Authorization Testing - Restrict Device Access

Upcoming bugs /////////////

  • JSON
  • AJAX
  • Web Services