Listing of Vulnerabilities

  Back Help Me!

Application Exception Application log injection Application path disclosure Authentication Bypass via SQL injection Brute force secret admin pages Buffer overflow Cascading style sheet injection CBC bit flipping (latest) Click-jacking Client-side Security Comments with sensitive data Content type is not specified Cookie scoped to parent domain Credit card numbers disclosed Cross Site Request Forgery Denial of Service Directory Browsing DOM injection Forms caching Frame source injection HTML injection HTTP Parameter Pollution Information disclosure via HTML comments Insecure Cookies JavaScript Injection JavaScript validation bypass JSON injection

Loading of any arbitrary file Local File Inclusion Log injection Method Tampering O/S Command injection Parameter addition Password field submitted using GET method Path Relative Style Sheet Injection PHPMyAdmin Console PHP server configuration disclosure Phishing Platform path disclosure Privilege Escalation via Cookie Injection Reflected Cross Site Scripting via GET, POST, Cookies, and HTTP Headers Remote File Inclusion robots.txt information disclosure Stored Cross Site Scripting SSL Stripping SQL Injection XML Entity Expansion XML Injection XML External Entity Injection XPath Injection Unencrypted database credentials Unrestricted File Upload Username enumeration Un-validated Redirects and Forwards

Note: Pages marked with a * are common. This means their vulnerabilities will appear on most pages.

add-to-your-blog.php

• SQL Injection on blog entry
• SQL Injection on logged in user name
• Cross site scripting on blog entry
• Cross site scripting on logged in user name
• Log injection on logged in user name
• Cross site request forgery
• JavaScript validation bypass
• XSS in the form title via logged in username
• HTML injection in blog input field
• Application Exception Output
• Application Log Injection
• Known Vulnerable Output: Name, Comment, "Add blog for" title

arbitrary-file-inclusion.php

• System file compromise
• Load any page from any site
• Reflected XSS via the value in the "page" URL parameter
• Server-side includes
• HTML injection
• Remote File Inclusion
• Local File Inclusion
• Method Tampering

authorization-required.php

• No known vulnerabilities. We should add something.
• This page is only used in secure mode. In insecure mode, the site does not authorize user.

back-button-discussion.php

• Reflected XSS via referer HTTP header
• JS Injection via referer HTTP header
• HTML injection via referer HTTP header
• Unvalidated redirect

browser-info.php

• Reflected XSS via referer HTTP header
• JS Injection via referer HTTP header
• HTML injection
• Reflected XSS via user-agent string HTTP header

capture-data.php

• XSS via any GET, POST, or Cookie
• Insert based SQL injection via any GET, POST, or Cookie
• HTML injection
• Application Log Injection

captured-data.php

• Stored XSS via any GET, POST, or Cookie sent to the capture data page. (capture-data.php page writes values captured to a table read by this page; captured-data.php (with a "d"))
• HTML injection via any GET, POST, or Cookie sent to the capture data page

client-side-comments.php

• Comments with sensitive data

client-side-control-challenge.php

• Reflected cross-site scripting
• HTML injection
• Method tampering
• Client-side control bypass

config.inc*

• Contains unencrytped database credentials
• NOTE: This page is a canary; a target. It is not used in the project. The credentials are only the default. If the project was set up differently the credentials may not be correct

credits.php

• Unvalidated Redirects and Forwards

database-offline.php

• Not that are known. Maybe we should add some.

directory-browsing.php

• Discusses Directory Browsing

dns-lookup.php

• Cross site scripting on the host/ip field
• O/S Command injection on the host/ip field
• This page writes to the log. SQLi and XSS on the log are possible
• HTML injection
• GET for POST (method tampering) is possible because only reading POSTed variables is not enforced.
• Application Log Injection
• JavaScript Validation Bypass

document-viewer.php

• Cross Site Scripting
• HTML injection
• HTTP Parameter Pollution
• Frame source injection
• Method Tampering
• Application Log Injection

footer.php*

• Cross site scripting via the HTTP_USER_AGENT HTTP header.

framer.html

• Forms caching
• Click-jacking

framing.php

• Click-jacking

header.php*

• XSS via logged in user name and signature
• The hints the DB menu item can be enabled by setting the uid value of the cookie to 1

home.php

• No known vulnerabilities. We should add something.

html5-storage.php

• DOM injection on the add-key error message because the key entered is output into the error message without being encoded.

index.php*

• You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.
• You can SQL injection the UID cookie value because it is used to do a lookup
• You can change your rank to admin by altering the UID value
• HTTP Response Splitting via the logged in user name because it is used to create an HTTP Header
• This page is responsible for cache-control but fails to do so
• This page allows the X-Powered-By HTTP header
• HTML comments
• There are secret pages that if browsed to will redirect user to the phpinfo.php page. This can be done via brute forcing
• The show-hints cookie can be changed by user to enable hints even though they are not suppose to show in secure mode

installation.php

• No known vulnerabilities. We should add something.

log-visit.php

• SQL injection and XSS via referer HTTP header
• SQL injection and XSS via user-agent string

login.php

• Authentication bypass SQL injection via the username field and password field
• SQL injection via the username field and password field
• XSS via username field
• JavaScript validation bypass
• HTML injection via username field
• Username enumeration
• Application Log Injection

page-not-found.php

• No known vulnerabilities. We should add something.
• This page is only used in secure mode. In insecure mode, the site does not validate the "page" parameter.

password-generator.php

• JavaScript injection

pen-test-tool-lookup.php

• JSON injection

pen-test-tool-lookup-ajax.php

• JSON injection

php-errors.php

• No known vulnerabilities. We should add something.

phpinfo.php

• This page gives away the PHP server configuration
• Application path disclosure
• Platform path disclosure
• Information disclosure

phpmyadmin.php

• This administrative console provides access to system configuration
• Application path disclosure
• Platform path disclosure
• Information disclosure

privilege-escalation.php

• None

process-commands.php

• Creates cookies but does not make them HTML only

process-login-attempt.php

• Same as login.php. This is the action page.

redirectandlog.php

• Same as credits.php. This is the action page.

register.php

• SQL injection, HTML injection and XSS via the username, signature and password field
• Method tampering
• Application Log Injection

repeater.php

• HTML injection and XSS
• Method tampering
• Parameter addition
• Buffer overflow

rene-magritte.php

• Click-jacking

robots.txt

• Contains directories that are supposed to be private.
• The directories are browsable and contain sensitive files.

robots.txt.php

• Discusses robots.txt

secret-administrative-pages.php

• This page gives hints about how to discover the server configuration.
• There are secret pages that if browsed to will redirect user to the phpinfo.php page. This can be done via brute forcing

set-background-color.php

• Cascading style sheet injection and XSS via the color field.

set-up-database.php

• No known vulnerabilities. We should add something.

show-log.php

• Denial of Service if you fill up the log
• XSS via the hostname, client IP, browser HTTP header, Referer HTTP header, and date fields.
• HTML Injection

site-footer-xss-discusson.php

• XSS and HTMLi via the user agent string HTTP header

source-viewer.php

• Loading of any arbitrary file including operating system files.
• HTML Injection
• Cross Site Scripting
• Application log injection

sqlmap-targets.php

• None

ssl-misconfiguration.php

• Discusses SSL downgrade attack due to a vulnerability in the site globally. No known vulnerabilities on the page itself.

styling.php

• Path Relative Style Sheet Injection
• HTML Injection
• Cross Site Scripting

text-file-viewer.php

• Loading of any arbitrary web page on the Interet or locally including the sites password files.
• Phishing
• Method Tampering
• Cross site scripting
• Application log injection

upload-file.php*

• Unrestricted File Upload
• Cross Site Scripting
• HTML injection

usage-instructions.php

• No known vulnerabilities. We should add some.

user-agent-impersonation.php

• Javascript String Injection
• Cross site scripting
• User agent impersonation

user-info.php

• SQL injection to dump all usernames and passwords via the username field or the password field
• XSS via any of the displayed fields. Inject the XSS on the register.php page.
• XSS via the username field
• JavaScript validation bypass

user-info-xpath.php

• XPath injection to dump all usernames and passwords via the username field or the password field
• XSS via any of the displayed fields. Inject the XSS on the register.php page.
• XSS via the username field
• JavaScript validation bypass

user-poll.php

• Parameter pollution
• Method Tampering
• XSS via the choice parameter
• Cross site request forgery to force user choice
• HTML injection

view-someones-blog.php

• Persistent XSS via any of the displayed fields. They are input on the add to your blog page.

view-user-privilege-level.php

• CBC bit flipping attack

webservices/rest/ws-user-account.php

• REST Web Service: SQL Injection
• REST Web Service: Username emuneration

webservices/soap/ws-lookup-dns-record.php

• SOAP Web Service: Command Injection
• SOAP Web Service: Username emuneration

webservices/soap/ws-user-account.php

• SOAP Web Service: SQL Injection
• SOAP Web Service: Username emuneration

xml-validator.php

• XML Entity Injection Attack
• XML Entity Expansion
• XML Injection
• Reflected Cross site scripting via XML Injection