Skip to content

AvalZ/DVAS

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
attacker
attacker
 
 
scanner
scanner
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

Damn Vulnerable Application Scanner (DVAS)

This repository contains a collection of web-based (vulnerable) security scanners, including (but not limited to) the vulnerabilities from "Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners" [1]. DVAS also contains a simulation of CVE-2020-7354 and CVE-2020-7355 for Metasploit Pro [2].

Getting Started

DVAS comes with 2 main components:

  1. Scanner acts as a normal security scanner, gathering information from the selected target.
  2. Attacker acts as a malicious target that answers with an attack payload. NOTE: you do not need to use this component. You can build your own, or you can use RevOK.

This repository includes multiple deploy options.

Docker Compose

  1. git clone https://github.com/AvalZ/DVAS.git OR git clone [email protected]:AvalZ/DVAS.git
  2. cd DVAS
  3. docker-compose up

Scanner is now available at http://localhost:8080, while Attacker is available at http://localhost:8081.

Manual

Prerequisites:

  • Nmap
  • PHP 7.2+

(TODO)

References

  1. A. Valenza, G. Costa, A. Armando. "Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners"
  2. Attacking the Attackers

About

Damn Vulnerable Application Scanner

Resources

Readme
Activity

Stars

5 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages