OWASP Mutillidae II: Web Pwn in Mass Production
|
| Home | | | Login/Register | | | Toggle Hints | | | Show Popup Hints | | | Toggle Security | | | Enforce SSL | | | Reset DB | | | View Log | | | View Captured Data |
-
OWASP 2017
- A1 - Injection (SQL)
-
A1 - Injection (Other)
- Application Log Injection
- Buffer Overflow
- Cascading Style Injection
- CBC-bit Flipping
- Command Injection
- Frame Source Injection
-
HTML Injection (HTMLi)
- Add to your blog
- Browser Info
- DNS Lookup
- Pen Test Tool Lookup
- Text File Viewer
- User Info (SQL)
- User Info (XPath)
- Set Background Color
- HTML5 Web Storage
- Capture Data Page
- View Captured Data
- Document Viewer
- Arbitrary File Inclusion
- Poll Question
- Register User
- Login
- Those "Back" Buttons
- Styling with Mutilidae
- Password Generator
- HTMLi via HTTP Headers
- HTMLi Via DOM Injection
- HTMLi Via Cookie Injection
- HTTP Parameter Pollution
- JavaScript Injection
- JavaScript Object Notation (JSON) Injection
- Parameter Addition
- XML External Entity Injection
- XML Entity Expansion
- XML Injection
- XPath Injection
- A2 - Broken Authentication and Session Management
-
A3 - Cross Site Scripting (XSS)
-
Reflected (First Order)
- DNS Lookup
- Pen Test Tool Lookup
- Text File Viewer
- User Info (SQL)
- Set Background Color
- HTML5 Web Storage
- Capture Data Page
- Document Viewer
- Arbitrary File Inclusion
- XML Validator
- User Info (XPath)
- Poll Question
- Register User
- Browser Info
- Those "Back" Buttons
- Styling with Mutilidae
- Password Generator
- Client-side Control Challenge
- Persistent (Second Order)
- DOM-Based
- Via "Input" (GET/POST)
- Via HTTP Headers
- Via HTTP Attribute
- Via Misconfiguration
- Against HTML5 Web Storage
- Against JSON
- Via Cookie Injection
- Via XML Injection
- Via XPath Injection
- Via Path Relative Style Sheet Injection
- BeeF Framework Targets
-
Reflected (First Order)
- A4 - Broken Access Control
- A5 - Security Misconfiguration
- A6 - Sensitive Data Exposure
- A7 - Insufficient Attack Protection
- A8 - Cross Site Request Forgery (CSRF)
- A9 - Using Components with Known Vulnerabilities
- A10 - Underprotected APIs
- OWASP 2013
- OWASP 2010
- Web Services
- HTML 5
- Others
- Documentation
- Resources
Want to Help?
SSL MisconfigurationHints and Videos
SSL Misconfiguration Some web servers which require SSL to secure transmissions are misconfigured to allow users to browse over HTTP. The application may use redirection code to redirect users from HTTP to HTTPS. Mutillidae uses the following code in index.php.
if($_SERVER['HTTPS']!="on"){ $lSecureRedirect = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; header("Location: $lSecureRedirect"); exit(); }//end if
If a mallicious agent is able to set up a MITM connection in between the user browser and the web server, a program such as SSLStrip can detect the redirection from HTTP to HTTPS and downgrade the users connection.
Back
Help Me!
