BugBox is a vulnerability corpus and exploit testbed for PHP web applications. BugBox provides an environment and a packaging mechanism that allows for the easy distribution and management of exploits, vulnerability data, and vulnerable applications. The goal is to facilitate empirical vulnerability studies, security tool evaluation, and security metrics research. In addition, the framework promotes security education by supporting exploit visualization through browser automation, and providing a sandbox where vulnerable applications can be run safely.
BugBox is currently distributed with the following applications:
Application | Version |
AjaXplorer | 2.5.1 |
Cuteflow | 2.11.2 |
Drupal | 6.14 |
Drupal | 7.14 |
eXtplorer | 2.1.0 |
Family Connecctions | 2.7.1 |
Glossword | 1.8.12 |
Horde | 3.3.12 |
jBoss | 4.2.0 |
phpAccounts | 0.5.3 |
PHP Address Book | 7.0.0 |
TinyCMS | 1.3 |
Wordpress | 2.8.3 |
Wordpress | 3.2 |
Wordpress | 3.3.1 |
In addition, there are a number of Wordpress plugins that are also included:
Plugin | Version |
Artiss | 2.0.1 |
CMS Tree Page View | 0.8.8 |
Gigpress | 2.1.10 |
Knews | 1.1.0 |
Photosmash Galleries | 1.0.1 |
Pretty Link | 1.5.2 |
Schreikasten | 0.14.13 |
SH Slideshow Plugin | 3.1.4 |
Store Locator Plugs | 3.0.1 |
WP DS FAQ | 1.3.2 |
yolink Search Plugin | 1.1.4 |
System Requirements
BugBox is designed to work on Debian GNU/Linux and compatible distributions. The host system must have roughly 10GB or storage available (4 GB per OS environment, and up to 2 GB for the web applications, engine, and exploit sources), and 2 GB of ram. We recommend running Debian Wheezy, since that is currently the only release that has been extensively tested with BugBox.
If you choose to run our prebuilt Virtual Machine, you will need to have VirtualBox and Vagrant installed on your computer.
Warning: Because this software will be running services with known vulnerabilities, and because some automated tasks performed by BugBox require superuser privileges, it is recommended that the host machine should not be accessible from the public Internet, and that no other critical services are run on the same machine. Installing BugBox in its own dedicated virtual machine facilitates doing research safely, and is the recommended approach.
Obtaining BugBox
Git
You can pull the source code for the latest release directly from our GitHub repository using:
git clone https://github.com/UMD-SEAM/bugbox.git
The simplest way to get started is using our Vagrant Virtual Machine. After you have checked out the Git repository, simply run:
vagrant up
Vagrant will download our VM image and set it up for you.
Alternatively, if you have checked out the Git repository on your own Debian machine, you can set up BugBox by running this command:
sudo ./manualinstall.sh
Documentation
We are currently working on the documentation for BugBox, until this is ready, please see the usage output for the bbmanage.py
script for getting started with the applications and exploits.
Contributing
Collaborators are welcome to post issues and pull requests on GitHub. Please feel free to send us any feedback at bugboxatcsdotumddotedu. We are interested in hearing about how BugBox is being applied in your research, as well as any ideas for making the project more useful to the community.