Skip to content

AvalZ/DVAS

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Damn Vulnerable Application Scanner (DVAS)

This repository contains a collection of web-based (vulnerable) security scanners, including (but not limited to) the vulnerabilities from "Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners" [1]. DVAS also contains a simulation of CVE-2020-7354 and CVE-2020-7355 for Metasploit Pro [2].

Getting Started

DVAS comes with 2 main components:

  1. Scanner acts as a normal security scanner, gathering information from the selected target.
  2. Attacker acts as a malicious target that answers with an attack payload. NOTE: you do not need to use this component. You can build your own, or you can use RevOK.

This repository includes multiple deploy options.

Docker Compose

  1. git clone https://github.com/AvalZ/DVAS.git OR git clone [email protected]:AvalZ/DVAS.git
  2. cd DVAS
  3. docker-compose up

Scanner is now available at http://localhost:8080, while Attacker is available at http://localhost:8081.

Manual

Prerequisites:

  • Nmap
  • PHP 7.2+

(TODO)

References

  1. A. Valenza, G. Costa, A. Armando. "Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners"
  2. Attacking the Attackers

About

Damn Vulnerable Application Scanner

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published