OWASP Mutillidae II: Web Pwn in Mass Production
|
| Home | | | Login/Register | | | Hide Popup Hints | | | Toggle Security | | | Enforce SSL | | | Reset DB | | | View Log | | | View Captured Data |
-
OWASP 2013
- A1 - Injection (SQL)
-
A1 - Injection (Other)
-
HTML Injection (HTMLi)
- Add to your blog
- Browser Info
- DNS Lookup
- Pen Test Tool Lookup
- Text File Viewer
- User Info (SQL)
- User Info (XPath)
- Set Background Color
- HTML5 Web Storage
- Capture Data Page
- View Captured Data
- Document Viewer
- Arbitrary File Inclusion
- Poll Question
- Register User
- Login
- Those "Back" Buttons
- Styling with Mutilidae
- Password Generator
- HTMLi via HTTP Headers
- HTMLi Via DOM Injection
- HTMLi Via Cookie Injection
- Frame Source Injection
- Command Injection
- JavaScript Injection
- HTTP Parameter Pollution
- Cascading Style Injection
- JavaScript Object Notation (JSON) Injection
- Buffer Overflow
- Parameter Addition
- XML External Entity Injection
- XML Entity Expansion
- XML Injection
- XPath Injection
- Application Log Injection
- CBC-bit Flipping
-
HTML Injection (HTMLi)
- A2 - Broken Authentication and Session Management
-
A3 - Cross Site Scripting (XSS)
-
Reflected (First Order)
- DNS Lookup
- Pen Test Tool Lookup
- Text File Viewer
- User Info (SQL)
- Set Background Color
- HTML5 Web Storage
- Capture Data Page
- Document Viewer
- Arbitrary File Inclusion
- XML Validator
- User Info (XPath)
- Poll Question
- Register User
- Browser Info
- Those "Back" Buttons
- Styling with Mutilidae
- Password Generator
- Client-side Control Challenge
- Persistent (Second Order)
- DOM-Based
- Via "Input" (GET/POST)
- Via HTTP Headers
- Via HTTP Attribute
- Via Misconfiguration
- Against HTML5 Web Storage
- Against JSON
- Via Cookie Injection
- Via XML Injection
- Via XPath Injection
- Via Path Relative Style Sheet Injection
- BeeF Framework Targets
-
Reflected (First Order)
- A4 - Insecure Direct Object References
- A5 - Security Misconfiguration
- A6 - Sensitive Data Exposure
- A7 - Missing Function Level Access Control
- A8 - Cross Site Request Forgery (CSRF)
- A9 - Using Components with Known Vulnerabilities
- A10 - Unvalidated Redirects and Forwards
- OWASP 2010
- OWASP 2007
- Web Services
- HTML 5
- Others
- Documentation
- Resources
Directory BrowsingHints and Videos
Directory Browsing Some web servers are misconfigured and allow directory browsing. This an easy mistake to make. While most sites disable directory browsing on the "home" or root page, some allow browsing on other directories. For each folder found in the site, attempt to browse to the folder without the page name. If using grep, look for "Index Of" as a match. OWASP Mutillidae II seems to disallow directory browsing on the root page. Try browsing to http://localhost/mutillidae. Likely this will load the home page. However, the site may not be configured perfectly. Perhaps if a folder name was known, we could try to browse to that folder (i.e. - http://localhost/mutillidae/<folder>).
If help is needed figuring out folder names, try activating hints.
Back
Help Me!