OWASP Mutillidae II: Keep Calm and Pwn On
|
|
|
|
Listing of Vulnerabilities
- Application Exception
- Application log injection
- Application path disclosure
- Authentication Bypass via SQL injection
- Brute force secret admin pages
- Buffer overflow
- Cascading style sheet injection
- CBC bit flipping (latest)
- Click-jacking
- Client-side Security
- Comments with sensitive data
- Content type is not specified
- Cookie scoped to parent domain
- Credit card numbers disclosed
- Cross Site Request Forgery
- Denial of Service
- Directory Browsing
- DOM injection
- Forms caching
- Frame source injection
- HTML injection
- HTTP Parameter Pollution
- Information disclosure via HTML comments
- Insecure Cookies
- JavaScript Injection
- JavaScript validation bypass
- JSON injection
- LDAP injection
|
- Loading of any arbitrary file
- Local File Inclusion
- Log injection
- Method Tampering
- O/S Command injection
- Parameter addition
- Password field submitted using GET method
- Path Relative Style Sheet Injection
- PHPMyAdmin Console
- PHP server configuration disclosure
- Phishing
- Platform path disclosure
- Privilege Escalation via Cookie Injection
- Reflected Cross Site Scripting via GET, POST, Cookies, and HTTP Headers
- Remote File Inclusion
- robots.txt information disclosure
- Stored Cross Site Scripting
- SSL Stripping
- SQL Injection
- XML Entity Expansion
- XML Injection
- XML External Entity Injection
- XPath Injection
- Unencrypted database credentials
- Unrestricted File Upload
- Username enumeration
- Un-validated Redirects and Forwards
|
Note: Pages marked with a * are common. This means their vulnerabilities will appear on most pages.
add-to-your-blog.php
- SQL Injection on blog entry
- SQL Injection on logged in user name
- Cross site scripting on blog entry
- Cross site scripting on logged in user name
- Log injection on logged in user name
- Cross site request forgery
- JavaScript validation bypass
- XSS in the form title via logged in username
- HTML injection in blog input field
- Application Exception Output
- Application Log Injection
- Known Vulnerable Output: Name, Comment, "Add blog for" title
arbitrary-file-inclusion.php
- System file compromise
- Load any page from any site
- Reflected XSS via the value in the "page" URL parameter
- Server-side includes
- HTML injection
- Remote File Inclusion
- Local File Inclusion
- Method Tampering
authorization-required.php
- No known vulnerabilities. We should add something.
- This page is only used in secure mode. In insecure mode, the site does not authorize user.
back-button-discussion.php
- Reflected XSS via referer HTTP header
- JS Injection via referer HTTP header
- HTML injection via referer HTTP header
- Unvalidated redirect
browser-info.php
- Reflected XSS via referer HTTP header
- JS Injection via referer HTTP header
- HTML injection
- Reflected XSS via user-agent string HTTP header
capture-data.php
- XSS via any GET, POST, or Cookie
- Insert based SQL injection via any GET, POST, or Cookie
- HTML injection
- Application Log Injection
captured-data.php
-
Stored XSS via any GET, POST, or Cookie sent to the capture
data page. (capture-data.php page writes values captured to a table
read by this page; captured-data.php (with a "d"))
-
HTML injection via any GET, POST, or Cookie sent to the capture
data page
client-side-comments.php
-
Comments with sensitive data
client-side-control-challenge.php
-
Reflected cross-site scripting
-
HTML injection
- Method tampering
- Client-side control bypass
conference-room-lookup.php
- LDAP injection
- Method tampering
config.inc*
- Contains unencrytped database credentials
-
NOTE: This page is a canary; a target. It is not used
in the project. The credentials are only the default. If the
project was set up differently the credentials may not be correct
credits.php
- Unvalidated Redirects and Forwards
database-offline.php
- Not that are known. Maybe we should add some.
directory-browsing.php
- Discusses Directory Browsing
dns-lookup.php
- Cross site scripting on the host/ip field
- O/S Command injection on the host/ip field
- This page writes to the log. SQLi and XSS on the log are possible
- HTML injection
-
GET for POST (method tampering) is possible because only reading
POSTed variables is not enforced.
- Application Log Injection
- JavaScript Validation Bypass
document-viewer.php
- Cross Site Scripting
- HTML injection
- HTTP Parameter Pollution
- Frame source injection
- Method Tampering
- Application Log Injection
echo.php
- Cross site scripting on the message field
- O/S Command injection on the message field
- This page writes to the log. SQLi and XSS on the log are possible
- HTML injection
-
GET for POST (method tampering) is possible because only reading
POSTed variables is not enforced.
- Application Log Injection
- JavaScript Validation Bypass
edit-account-profile.php
- Insecure Direct Object Reference (IDOR) via UID parameter
-
SQL injection, HTML injection and XSS
via the username, signature and password field
- Method tampering
- Application Log Injection
footer.php*
- Cross site scripting via the HTTP_USER_AGENT HTTP header.
framer.html
- Forms caching
- Click-jacking
framing.php
header.php*
- XSS via logged in user name and signature
- The hints the DB menu item can be enabled by setting the uid value of the cookie to 1
home.php
- No known vulnerabilities. We should add something.
html5-storage.php
-
DOM injection on the add-key error message because the key entered is output
into the error message without being encoded.
index.php*
- You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.
- You can SQL injection the UID cookie value because it is used to do a lookup
- You can change your rank to admin by altering the UID value
- HTTP Response Splitting via the logged in user name because it is used to create an HTTP Header
- This page is responsible for cache-control but fails to do so
- This page allows the X-Powered-By HTTP header
- HTML comments
- There are secret pages that if browsed to will redirect user to the phpinfo.php page.
This can be done via brute forcing
- The show-hints cookie can be changed by user to enable hints even though they are not suppose to show in secure mode
installation.php
- No known vulnerabilities. We should add something.
log-visit.php
- SQL injection and XSS via referer HTTP header
- SQL injection and XSS via user-agent string
login.php
- Authentication bypass SQL injection via the username field and password field
- SQL injection via the username field and password field
- XSS via username field
- JavaScript validation bypass
- HTML injection via username field
- Username enumeration
- Application Log Injection
page-not-found.php
- No known vulnerabilities. We should add something.
- This page is only used in secure mode. In insecure mode, the site does not validate the "page" parameter.
password-generator.php
pen-test-tool-lookup.php
pen-test-tool-lookup-ajax.php
php-errors.php
- No known vulnerabilities. We should add something.
phpinfo.php
- This page gives away the PHP server configuration
- Application path disclosure
- Platform path disclosure
- Information disclosure
phpmyadmin.php
- This administrative console provides access to system configuration
- Application path disclosure
- Platform path disclosure
- Information disclosure
privilege-escalation.php
process-commands.php
- Creates cookies but does not make them HTML only
process-login-attempt.php
- Same as login.php. This is the action page.
redirectandlog.php
- Same as credits.php. This is the action page.
register.php
-
SQL injection, HTML injection and XSS
via the username, signature and password field
- Method tampering
- Application Log Injection
repeater.php
- HTML injection and XSS
- Method tampering
- Parameter addition
- Buffer overflow
rene-magritte.php
robots.txt
- Contains directories that are supposed to be private.
- The directories are browsable and contain sensitive files.
robots.txt.php
secret-administrative-pages.php
- This page gives hints about how to discover the server configuration.
-
There are secret pages that if browsed to will redirect user to the phpinfo.php page.
This can be done via brute forcing
set-background-color.php
- Cascading style sheet injection and XSS via the color field.
set-up-database.php
- No known vulnerabilities. We should add something.
show-log.php
- Denial of Service if you fill up the log
- XSS via the hostname, client IP, browser HTTP header, Referer HTTP header, and date fields.
- HTML Injection
site-footer-xss-discusson.php
- XSS and HTMLi via the user agent string HTTP header
source-viewer.php
- Loading of any arbitrary file including operating system files.
- HTML Injection
- Cross Site Scripting
- Application log injection
sqlmap-targets.php
ssl-misconfiguration.php
-
Discusses SSL downgrade attack due to a vulnerability in the site globally.
No known vulnerabilities on the page itself.
styling.php
- Path Relative Style Sheet Injection
- HTML Injection
- Cross Site Scripting
text-file-viewer.php
- Loading of any arbitrary web page on the Interet or locally including the sites password files.
- Phishing
- Method Tampering
- Cross site scripting
- Application log injection
upload-file.php*
- Unrestricted File Upload
- Cross Site Scripting
- HTML injection
usage-instructions.php
- No known vulnerabilities. We should add some.
user-agent-impersonation.php
- Javascript String Injection
- Cross site scripting
- User agent impersonation
user-info.php
- SQL injection to dump all usernames and passwords via the username field or the password field
- XSS via any of the displayed fields. Inject the XSS on the register.php page.
- XSS via the username field
- JavaScript validation bypass
user-info-xpath.php
- XPath injection to dump all usernames and passwords via the username field or the password field
- XSS via any of the displayed fields. Inject the XSS on the register.php page.
- XSS via the username field
- JavaScript validation bypass
user-poll.php
- Parameter pollution
- Method Tampering
- XSS via the choice parameter
- Cross site request forgery to force user choice
- HTML injection
view-someones-blog.php
-
Persistent XSS via any of the displayed fields.
They are input on the add to your blog page.
view-user-privilege-level.php
webservices/rest/ws-user-account.php
- REST Web Service: SQL Injection
- REST Web Service: Username emuneration
webservices/soap/ws-lookup-dns-record.php
- SOAP Web Service: Command Injection
- SOAP Web Service: Username emuneration
webservices/soap/ws-user-account.php
- SOAP Web Service: SQL Injection
- SOAP Web Service: Username emuneration
xml-validator.php
- XML Entity Injection Attack
- XML Entity Expansion
- XML Injection
- Reflected Cross site scripting via XML Injection
|