Simple Web Server (SWS) Test Case

Simple Web Server (SWS) Test Case for beSTORM

Simple Web Server version 3.0.3
MD5: e388d763b304e92b56717e1e66ba3f6a
SHA1: 229e7b865fb678ab2ead301e09ab528c306b0efe

Beyond Security's Simple Web Server (SWS) is a web server application created for internal testing of the beSTORM fuzzer, while working on the HTTP 1.0 and HTTP 1.1 protocol modules. The server was built with a large set of common security holes which allows testing of fuzzing tool functionality and scenario coverage.

Currently, use of this application has evolved and it is also used for training new engineers in basic exploitation and customer training of QA Security engineers and Black Box Testers.

Technical details

The Simple Web Server does not support the entire HTTP protocol suite, however it will work as a standard web server with any browser.

Vulnerabilities found in the application:

  1. Off-By-One in Content-Length (Integer overflow/malloc issue)
  2. Overflow in User-Agent
  3. Overflow in Method
  4. Overflow in URI
  5. Overflow in Host
  6. Overflow in Version
  7. Overflow in complete packet
  8. Off By One in Receive function (linefeed/carriage return issue)
  9. Overflow in Authorization Type
  10. Overflow in Base64 decoded
  11. Overflow in Username of authorization
  12. Overflow in Password of authorization
  13. Overflow in Body
  14. Cross site scripting

Disclaimer and legal notice

This web server MUST NEVER BE USED ON THE INTERNET, it is very vulnerable and can be trivially exploited. Beyond Security takes no responsibility for this software, nor any use or misuse made of or with it. It is provided AS-IS with no warranty or liability.

Download

To download SWS, click here.

More beSTORM Test Cases

For more information about the beSTORM fuzzer and a demo download, click here.

To download the ANI 0day fuzzing module, click here.


More Info:

Beyond Security

is an Approved Scanning Vendor for the Payment Card Industry

Web Application Testing:

Discover security issues in web apps, web sites, their related equipment and databases