OWASP Mutillidae II: Keep Calm and Pwn On
Listing of Vulnerabilities
- Application Exception
- Application log injection
- Application path disclosure
- Authentication Bypass via SQL injection
- Brute force secret admin pages
- Buffer overflow
- Cascading style sheet injection
- CBC bit flipping (latest)
- Click-jacking
- Client-side Security
- Comments with sensitive data
- Content type is not specified
- Cookie scoped to parent domain
- Credit card numbers disclosed
- Cross Site Request Forgery
- Denial of Service
- Directory Browsing
- DOM injection
- Forms caching
- Frame source injection
- HTML injection
- HTTP Parameter Pollution
- Information disclosure via HTML comments
- Insecure Cookies
- JavaScript Injection
- JavaScript validation bypass
- JSON injection
- Loading of any arbitrary file
- Local File Inclusion
- Log injection
- Method Tampering
- O/S Command injection
- Parameter addition
- Password field submitted using GET method
- Path Relative Style Sheet Injection
- PHPMyAdmin Console
- PHP server configuration disclosure
- Phishing
- Platform path disclosure
- Privilege Escalation via Cookie Injection
- Reflected Cross Site Scripting via GET, POST, Cookies, and HTTP Headers
- Remote File Inclusion
- robots.txt information disclosure
- Stored Cross Site Scripting
- SSL Stripping
- SQL Injection
- XML Entity Expansion
- XML Injection
- XML External Entity Injection
- XPath Injection
- Unencrypted database credentials
- Unrestricted File Upload
- Username enumeration
- Un-validated Redirects and Forwards
Note: Pages marked with a * are common. This means their vulnerabilities will appear on most pages.
- SQL Injection on blog entry
- SQL Injection on logged in user name
- Cross site scripting on blog entry
- Cross site scripting on logged in user name
- Log injection on logged in user name
- Cross site request forgery
- JavaScript validation bypass
- XSS in the form title via logged in username
- HTML injection in blog input field
- Application Exception Output
- Application Log Injection
- Known Vulnerable Output: Name, Comment, "Add blog for" title
- System file compromise
- Load any page from any site
- Reflected XSS via the value in the "page" URL parameter
- Server-side includes
- HTML injection
- Remote File Inclusion
- Local File Inclusion
- Method Tampering
- No known vulnerabilities. We should add something.
- This page is only used in secure mode. In insecure mode, the site does not authorize user.
- Reflected XSS via referer HTTP header
- JS Injection via referer HTTP header
- HTML injection via referer HTTP header
- Unvalidated redirect
- Reflected XSS via referer HTTP header
- JS Injection via referer HTTP header
- HTML injection
- Reflected XSS via user-agent string HTTP header
- XSS via any GET, POST, or Cookie
- Insert based SQL injection via any GET, POST, or Cookie
- HTML injection
- Application Log Injection
Stored XSS via any GET, POST, or Cookie sent to the capture
data page. (capture-data.php page writes values captured to a table
read by this page; captured-data.php (with a "d"))
HTML injection via any GET, POST, or Cookie sent to the capture
data page
Comments with sensitive data
Reflected cross-site scripting
HTML injection
- Method tampering
- Client-side control bypass
- Contains unencrytped database credentials
NOTE: This page is a canary; a target. It is not used
in the project. The credentials are only the default. If the
project was set up differently the credentials may not be correct
- Unvalidated Redirects and Forwards
- Not that are known. Maybe we should add some.
- Discusses Directory Browsing
- Cross site scripting on the host/ip field
- O/S Command injection on the host/ip field
- This page writes to the log. SQLi and XSS on the log are possible
- HTML injection
GET for POST (method tampering) is possible because only reading
POSTed variables is not enforced.
- Application Log Injection
- JavaScript Validation Bypass
- Cross Site Scripting
- HTML injection
- HTTP Parameter Pollution
- Frame source injection
- Method Tampering
- Application Log Injection
- Cross site scripting via the HTTP_USER_AGENT HTTP header.
- Forms caching
- Click-jacking
- XSS via logged in user name and signature
- The hints the DB menu item can be enabled by setting the uid value of the cookie to 1
- No known vulnerabilities. We should add something.
DOM injection on the add-key error message because the key entered is output
into the error message without being encoded.
- You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.
- You can SQL injection the UID cookie value because it is used to do a lookup
- You can change your rank to admin by altering the UID value
- HTTP Response Splitting via the logged in user name because it is used to create an HTTP Header
- This page is responsible for cache-control but fails to do so
- This page allows the X-Powered-By HTTP header
- HTML comments
- There are secret pages that if browsed to will redirect user to the phpinfo.php page.
This can be done via brute forcing
- The show-hints cookie can be changed by user to enable hints even though they are not suppose to show in secure mode
- No known vulnerabilities. We should add something.
- SQL injection and XSS via referer HTTP header
- SQL injection and XSS via user-agent string
- Authentication bypass SQL injection via the username field and password field
- SQL injection via the username field and password field
- XSS via username field
- JavaScript validation bypass
- HTML injection via username field
- Username enumeration
- Application Log Injection
- No known vulnerabilities. We should add something.
- This page is only used in secure mode. In insecure mode, the site does not validate the "page" parameter.
- No known vulnerabilities. We should add something.
- This page gives away the PHP server configuration
- Application path disclosure
- Platform path disclosure
- Information disclosure
- This administrative console provides access to system configuration
- Application path disclosure
- Platform path disclosure
- Information disclosure
- Creates cookies but does not make them HTML only
- Same as login.php. This is the action page.
- Same as credits.php. This is the action page.
SQL injection, HTML injection and XSS
via the username, signature and password field
- Method tampering
- Application Log Injection
- HTML injection and XSS
- Method tampering
- Parameter addition
- Buffer overflow
- Contains directories that are supposed to be private.
- The directories are browsable and contain sensitive files.
- This page gives hints about how to discover the server configuration.
There are secret pages that if browsed to will redirect user to the phpinfo.php page.
This can be done via brute forcing
- Cascading style sheet injection and XSS via the color field.
- No known vulnerabilities. We should add something.
- Denial of Service if you fill up the log
- XSS via the hostname, client IP, browser HTTP header, Referer HTTP header, and date fields.
- HTML Injection
- XSS and HTMLi via the user agent string HTTP header
- Loading of any arbitrary file including operating system files.
- HTML Injection
- Cross Site Scripting
- Application log injection
Discusses SSL downgrade attack due to a vulnerability in the site globally.
No known vulnerabilities on the page itself.
- Path Relative Style Sheet Injection
- HTML Injection
- Cross Site Scripting
- Loading of any arbitrary web page on the Interet or locally including the sites password files.
- Phishing
- Method Tampering
- Cross site scripting
- Application log injection
- Unrestricted File Upload
- Cross Site Scripting
- HTML injection
- No known vulnerabilities. We should add some.
- Javascript String Injection
- Cross site scripting
- User agent impersonation
- SQL injection to dump all usernames and passwords via the username field or the password field
- XSS via any of the displayed fields. Inject the XSS on the register.php page.
- XSS via the username field
- JavaScript validation bypass
- XPath injection to dump all usernames and passwords via the username field or the password field
- XSS via any of the displayed fields. Inject the XSS on the register.php page.
- XSS via the username field
- JavaScript validation bypass
- Parameter pollution
- Method Tampering
- XSS via the choice parameter
- Cross site request forgery to force user choice
- HTML injection
Persistent XSS via any of the displayed fields.
They are input on the add to your blog page.
- REST Web Service: SQL Injection
- REST Web Service: Username emuneration
- SOAP Web Service: Command Injection
- SOAP Web Service: Username emuneration
- SOAP Web Service: SQL Injection
- SOAP Web Service: Username emuneration
- XML Entity Injection Attack
- XML Entity Expansion
- XML Injection
- Reflected Cross site scripting via XML Injection