moth: vulnerable vm image for web app security scans

If you need some vulnerable web sites and scripts to test your security tools against, Moth has been released. Moth is a VM image hosting various vulnerable services. Their blog mentions there is a listing of the vulnerabilities contained in the image, but I’m not sure if that is just a list or if there are also details on how to leverage or find those vulnerabilities.

I think the point of this project is to provide a test bed for security tools and also demonstrate the workings of a couple web app firewalls (mod_security and php-ids).

6 thoughts on “moth: vulnerable vm image for web app security scans

  1. Something to note, the keyboard layout is set to “latam” and not “us”. To change this you need to edit /etc/default/console-setup and change the setting for xkblayout.
    Some keys to make life easier
    type & to get a /
    type / to get a –
    type > to get a : (I believe… not sure on this one).

  2. Hi,
    I get completely messed up with the networking configuration. I can see two network interfaces in the VMX file (one bridge and one NAT), but after logging in I can see only “lo” amd “vnet0”. Any possible solutions ?

  3. Hey Fred and Nick!
    I have the same issue. Try running “sudo ifconfig -a” to see ALL of your interfaces. When I brought it up, I also have eth2 (NAT) and eth3 (BRIDGED) which you could change in the VMWare settings for that VM if you’d like.
    Hope this helps!

  4. Tyler – Thanks a ton for your posting. I would have been there for a while trying to figure out the translated keys…got it working in us format now.
    For the other 2 – The resolution prevents you from seeing all of the output when you ifconfig. You might pipe the output to more like this (dont forget the pipe | symbol)
    ifconfig | more
    Alternatively you can say
    ifconfig eth0
    …or whatever interface you’re interested in.

  5. I downloaded this app and I haven’t been able to get it to work correctly.
    First off you need to change the keyboard layout: “sudo loadkeys us”.
    You also need to fix some of the Wivet files (menu.php, etc.) because it is not calculating the base address correctly and you need to remove some php code in the code… The Buffer overflow and string format vulns don’t work. The python and perl code eval don’t work either. If I get them working I will post the fixed vmware image. =/

Comments are closed.