Simple Web Server (SWS) Test Case

Simple Web Server (SWS) Test Case for beSTORM

Beyond Security's Simple Web Server (SWS) is a web server application created for internal testing of the beSTORM fuzzer, while working on the HTTP 1.0 and HTTP 1.1 protocol modules. The server was built with a large set of common security holes which allows testing of fuzzing tool functionality and scenario coverage.

Currently, use of this application has evolved and it is also used for training new engineers in basic exploitation and customer training of QA Security engineers and Black Box Testers.

Technical details

The Simple Web Server does not support the entire HTTP protocol suite, however it will work as a standard web server with any browser.

Vulnerabilities found in the application:

1. Off-By-One in Content-Length (Integer overflow/malloc issue)
2. Overflow in User-Agent
3. Overflow in Method
4. Overflow in URI
5. Overflow in Host
6. Overflow in Version
7. Overflow in complete packet
8. Off By One in Receive function (linefeed/carriage return issue)
9. Overflow in Authorization Type
10. Overflow in Base64 decoded
11. Overflow in Username of authorization
12. Overflow in Password of authorization
13. Overflow in Body
14. Cross site scripting

Disclaimer and legal notice

This web server MUST NEVER BE USED ON THE INTERNET, it is very vulnerable and can be trivially exploited. Beyond Security takes no responsibility for this software, nor any use or misuse made of or with it. It is provided AS-IS with no warranty or liability.

Download

To download SWS, click here.

More beSTORM Test Cases

For more information about the beSTORM fuzzer and a demo download, click here.

To download the ANI 0day fuzzing module, click here.