OWASP Mutillidae II: Keep Calm and Pwn On
Version: 2.7.11 Security Level: 0 (Hosed) Hints: Enabled (1 - Try easier) Not Logged In
Home | Login/Register | Toggle Hints| Show Popup Hints | Toggle Security | Enforce SSL | Reset DB | View Log | View Captured Data
 
Want to Help?
 
 
 
 
Listing of Vulnerabilities
  • Application Exception
  • Application log injection
  • Application path disclosure
  • Authentication Bypass via SQL injection
  • Brute force secret admin pages
  • Buffer overflow
  • Cascading style sheet injection
  • CBC bit flipping (latest)
  • Click-jacking
  • Client-side Security
  • Comments with sensitive data
  • Content type is not specified
  • Cookie scoped to parent domain
  • Credit card numbers disclosed
  • Cross Site Request Forgery
  • Denial of Service
  • Directory Browsing
  • DOM injection
  • Forms caching
  • Frame source injection
  • HTML injection
  • HTTP Parameter Pollution
  • Information disclosure via HTML comments
  • Insecure Cookies
  • JavaScript Injection
  • JavaScript validation bypass
  • JSON injection
  • LDAP injection
  • Loading of any arbitrary file
  • Local File Inclusion
  • Log injection
  • Method Tampering
  • O/S Command injection
  • Parameter addition
  • Password field submitted using GET method
  • Path Relative Style Sheet Injection
  • PHPMyAdmin Console
  • PHP server configuration disclosure
  • Phishing
  • Platform path disclosure
  • Privilege Escalation via Cookie Injection
  • Reflected Cross Site Scripting via GET, POST, Cookies, and HTTP Headers
  • Remote File Inclusion
  • robots.txt information disclosure
  • Stored Cross Site Scripting
  • SSL Stripping
  • SQL Injection
  • XML Entity Expansion
  • XML Injection
  • XML External Entity Injection
  • XPath Injection
  • Unencrypted database credentials
  • Unrestricted File Upload
  • Username enumeration
  • Un-validated Redirects and Forwards
Note: Pages marked with a * are common. This means their vulnerabilities will appear on most pages.

add-to-your-blog.php

  • SQL Injection on blog entry
  • SQL Injection on logged in user name
  • Cross site scripting on blog entry
  • Cross site scripting on logged in user name
  • Log injection on logged in user name
  • Cross site request forgery
  • JavaScript validation bypass
  • XSS in the form title via logged in username
  • HTML injection in blog input field
  • Application Exception Output
  • Application Log Injection
  • Known Vulnerable Output: Name, Comment, "Add blog for" title

arbitrary-file-inclusion.php

  • System file compromise
  • Load any page from any site
  • Reflected XSS via the value in the "page" URL parameter
  • Server-side includes
  • HTML injection
  • Remote File Inclusion
  • Local File Inclusion
  • Method Tampering

authorization-required.php

  • No known vulnerabilities. We should add something.
  • This page is only used in secure mode. In insecure mode, the site does not authorize user.

back-button-discussion.php

  • Reflected XSS via referer HTTP header
  • JS Injection via referer HTTP header
  • HTML injection via referer HTTP header
  • Unvalidated redirect

browser-info.php

  • Reflected XSS via referer HTTP header
  • JS Injection via referer HTTP header
  • HTML injection
  • Reflected XSS via user-agent string HTTP header

capture-data.php

  • XSS via any GET, POST, or Cookie
  • Insert based SQL injection via any GET, POST, or Cookie
  • HTML injection
  • Application Log Injection

captured-data.php

  • Stored XSS via any GET, POST, or Cookie sent to the capture data page. (capture-data.php page writes values captured to a table read by this page; captured-data.php (with a "d"))
  • HTML injection via any GET, POST, or Cookie sent to the capture data page

client-side-comments.php

  • Comments with sensitive data

client-side-control-challenge.php

  • Reflected cross-site scripting
  • HTML injection
  • Method tampering
  • Client-side control bypass

conference-room-lookup.php

  • LDAP injection
  • Method tampering

config.inc*

  • Contains unencrytped database credentials
  • NOTE: This page is a canary; a target. It is not used in the project. The credentials are only the default. If the project was set up differently the credentials may not be correct

credits.php

  • Unvalidated Redirects and Forwards

database-offline.php

  • Not that are known. Maybe we should add some.

directory-browsing.php

  • Discusses Directory Browsing

dns-lookup.php

  • Cross site scripting on the host/ip field
  • O/S Command injection on the host/ip field
  • This page writes to the log. SQLi and XSS on the log are possible
  • HTML injection
  • GET for POST (method tampering) is possible because only reading POSTed variables is not enforced.
  • Application Log Injection
  • JavaScript Validation Bypass

document-viewer.php

  • Cross Site Scripting
  • HTML injection
  • HTTP Parameter Pollution
  • Frame source injection
  • Method Tampering
  • Application Log Injection

echo.php

  • Cross site scripting on the message field
  • O/S Command injection on the message field
  • This page writes to the log. SQLi and XSS on the log are possible
  • HTML injection
  • GET for POST (method tampering) is possible because only reading POSTed variables is not enforced.
  • Application Log Injection
  • JavaScript Validation Bypass

edit-account-profile.php

  • Insecure Direct Object Reference (IDOR) via UID parameter
  • SQL injection, HTML injection and XSS via the username, signature and password field
  • Method tampering
  • Application Log Injection

footer.php*

  • Cross site scripting via the HTTP_USER_AGENT HTTP header.

framer.html

  • Forms caching
  • Click-jacking

framing.php

  • Click-jacking

header.php*

  • XSS via logged in user name and signature
  • The hints the DB menu item can be enabled by setting the uid value of the cookie to 1

home.php

  • No known vulnerabilities. We should add something.

html5-storage.php

  • DOM injection on the add-key error message because the key entered is output into the error message without being encoded.

index.php*

  • You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.
  • You can SQL injection the UID cookie value because it is used to do a lookup
  • You can change your rank to admin by altering the UID value
  • HTTP Response Splitting via the logged in user name because it is used to create an HTTP Header
  • This page is responsible for cache-control but fails to do so
  • This page allows the X-Powered-By HTTP header
  • HTML comments
  • There are secret pages that if browsed to will redirect user to the phpinfo.php page. This can be done via brute forcing
  • The show-hints cookie can be changed by user to enable hints even though they are not suppose to show in secure mode

installation.php

  • No known vulnerabilities. We should add something.

log-visit.php

  • SQL injection and XSS via referer HTTP header
  • SQL injection and XSS via user-agent string

login.php

  • Authentication bypass SQL injection via the username field and password field
  • SQL injection via the username field and password field
  • XSS via username field
  • JavaScript validation bypass
  • HTML injection via username field
  • Username enumeration
  • Application Log Injection

page-not-found.php

  • No known vulnerabilities. We should add something.
  • This page is only used in secure mode. In insecure mode, the site does not validate the "page" parameter.

password-generator.php

  • JavaScript injection

pen-test-tool-lookup.php

  • JSON injection

pen-test-tool-lookup-ajax.php

  • JSON injection

php-errors.php

  • No known vulnerabilities. We should add something.

phpinfo.php

  • This page gives away the PHP server configuration
  • Application path disclosure
  • Platform path disclosure
  • Information disclosure

phpmyadmin.php

  • This administrative console provides access to system configuration
  • Application path disclosure
  • Platform path disclosure
  • Information disclosure

privilege-escalation.php

  • None

process-commands.php

  • Creates cookies but does not make them HTML only

process-login-attempt.php

  • Same as login.php. This is the action page.

redirectandlog.php

  • Same as credits.php. This is the action page.

register.php

  • SQL injection, HTML injection and XSS via the username, signature and password field
  • Method tampering
  • Application Log Injection

repeater.php

  • HTML injection and XSS
  • Method tampering
  • Parameter addition
  • Buffer overflow

rene-magritte.php

  • Click-jacking

robots.txt

  • Contains directories that are supposed to be private.
  • The directories are browsable and contain sensitive files.

robots.txt.php

  • Discusses robots.txt

secret-administrative-pages.php

  • This page gives hints about how to discover the server configuration.
  • There are secret pages that if browsed to will redirect user to the phpinfo.php page. This can be done via brute forcing

set-background-color.php

  • Cascading style sheet injection and XSS via the color field.

set-up-database.php

  • No known vulnerabilities. We should add something.

show-log.php

  • Denial of Service if you fill up the log
  • XSS via the hostname, client IP, browser HTTP header, Referer HTTP header, and date fields.
  • HTML Injection

site-footer-xss-discusson.php

  • XSS and HTMLi via the user agent string HTTP header

source-viewer.php

  • Loading of any arbitrary file including operating system files.
  • HTML Injection
  • Cross Site Scripting
  • Application log injection

sqlmap-targets.php

  • None

ssl-misconfiguration.php

  • Discusses SSL downgrade attack due to a vulnerability in the site globally. No known vulnerabilities on the page itself.

styling.php

  • Path Relative Style Sheet Injection
  • HTML Injection
  • Cross Site Scripting

text-file-viewer.php

  • Loading of any arbitrary web page on the Interet or locally including the sites password files.
  • Phishing
  • Method Tampering
  • Cross site scripting
  • Application log injection

upload-file.php*

  • Unrestricted File Upload
  • Cross Site Scripting
  • HTML injection

usage-instructions.php

  • No known vulnerabilities. We should add some.

user-agent-impersonation.php

  • Javascript String Injection
  • Cross site scripting
  • User agent impersonation

user-info.php

  • SQL injection to dump all usernames and passwords via the username field or the password field
  • XSS via any of the displayed fields. Inject the XSS on the register.php page.
  • XSS via the username field
  • JavaScript validation bypass

user-info-xpath.php

  • XPath injection to dump all usernames and passwords via the username field or the password field
  • XSS via any of the displayed fields. Inject the XSS on the register.php page.
  • XSS via the username field
  • JavaScript validation bypass

user-poll.php

  • Parameter pollution
  • Method Tampering
  • XSS via the choice parameter
  • Cross site request forgery to force user choice
  • HTML injection

view-someones-blog.php

  • Persistent XSS via any of the displayed fields. They are input on the add to your blog page.

view-user-privilege-level.php

  • CBC bit flipping attack

webservices/rest/ws-user-account.php

  • REST Web Service: SQL Injection
  • REST Web Service: Username emuneration

webservices/soap/ws-lookup-dns-record.php

  • SOAP Web Service: Command Injection
  • SOAP Web Service: Username emuneration

webservices/soap/ws-user-account.php

  • SOAP Web Service: SQL Injection
  • SOAP Web Service: Username emuneration

xml-validator.php

  • XML Entity Injection Attack
  • XML Entity Expansion
  • XML Injection
  • Reflected Cross site scripting via XML Injection