OWASP Mutillidae II: Keep Calm and Pwn On
|
| Home | | | Login/Register | | | Toggle Hints | | | Show Popup Hints | | | Toggle Security | | | Enforce SSL | | | Reset DB | | | View Log | | | View Captured Data |
-
OWASP 2017
- A1 - Injection (SQL)
-
A1 - Injection (Other)
- Application Log Injection
- Buffer Overflow
- Cascading Style Injection
- CBC-bit Flipping
- Command Injection
- Frame Source Injection
-
HTML Injection (HTMLi)
- Add to your blog
- Browser Info
- DNS Lookup
- Echo Message
- Pen Test Tool Lookup
- Text File Viewer
- User Info (SQL)
- User Info (XPath)
- Set Background Color
- HTML5 Web Storage
- Capture Data Page
- View Captured Data
- Document Viewer
- Arbitrary File Inclusion
- Poll Question
- Register User
- Login
- Those "Back" Buttons
- Styling with Mutilidae
- Password Generator
- HTMLi via HTTP Headers
- HTMLi Via DOM Injection
- HTMLi Via Cookie Injection
- HTTP Parameter Pollution
- JavaScript Injection
- JavaScript Object Notation (JSON) Injection
- LDAP Injection
- Parameter Addition
- XML External Entity Injection
- XML Entity Expansion
- XML Injection
- XPath Injection
- A2 - Broken Authentication and Session Management
- A3 - Sensitive Data Exposure
- A4 - XML External Entities
- A5 - Broken Access Control
- A6 - Security Misconfiguration
-
A7 - Cross Site Scripting (XSS)
-
Reflected (First Order)
- DNS Lookup
- Echo Message
- Pen Test Tool Lookup
- Text File Viewer
- User Info (SQL)
- Set Background Color
- HTML5 Web Storage
- Capture Data Page
- Document Viewer
- Arbitrary File Inclusion
- XML Validator
- User Info (XPath)
- Poll Question
- Register User
- Browser Info
- Those "Back" Buttons
- Styling with Mutilidae
- Password Generator
- Client-side Control Challenge
- Persistent (Second Order)
- DOM-Based
- Cross Site Request Forgery (CSRF)
- Via "Input" (GET/POST)
- Via HTTP Headers
- Via HTTP Attribute
- Via Misconfiguration
- Against HTML5 Web Storage
- Against JSON
- Via Cookie Injection
- Via XML Injection
- Via XPath Injection
- Via Path Relative Style Sheet Injection
-
BeeF Framework Targets
- Add to your blog
- View someone's blog
- Show Log
- DNS Lookup
- Echo Message
- Pen Test Tool Lookup
- Text File Viewer
- User Info (SQL)
- Set Background Color
- HTML5 Web Storage
- Capture Data Page
- Document Viewer
- Arbitrary File Inclusion
- XML Validator
- User Info (XPath)
- Poll Question
- Register User
- Password Generator
-
Reflected (First Order)
- A8 - Insecure Deserialization
- A9 - Using Components with Known Vulnerabilities
- A10 - Insufficient Logging and Monitoring
- OWASP 2010
Want to Help?
SSL MisconfigurationHints and Videos
SSL Misconfiguration Some web servers which require SSL to secure transmissions are misconfigured to allow users to browse over HTTP. The application may use redirection code to redirect users from HTTP to HTTPS. Mutillidae uses the following code in index.php.
if($_SERVER['HTTPS']!="on"){ $lSecureRedirect = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; header("Location: $lSecureRedirect"); exit(); }//end if
If a mallicious agent is able to set up a MITM connection in between the user browser and the web server, a program such as SSLStrip can detect the redirection from HTTP to HTTPS and downgrade the users connection.Besides redirecting users from HTTP to HTTPS, other misconfigurations include using weak ciphers or using vulnerable, unpatched software (i.e. Heartbleed). Part of testing web application security is testing for misconfigured HTTPS. Open "Hints and Videos" for more information
Back
Help Me!
