Wednesday, November 30, 2011

Mutillidae 2.1.7 Deliberately Vulnerable Web App Updated (a lot)

Jeremy Druin has been doing a lot of work on Mutillidae. Here is the change long since the last time I mentioned it:

Change Log for Mutillidae 2.1.7:

Added a new page for HTML5 storage. The page is meant to show how to both use and attack HTML5 storage. The page supports Local and Session storage types. The user can attack the storage in two contexts. They can act as if they want to read to contents of their own browsers session storage to see if the developer put authorization tokens or other items into the storage. They can also try to use XSS to steal the session storage. In this use-case the user would be acting as if they wanted to read someone elses storage. A large number of hints has been added to the page. The page name is "html5-storage.php" and can be accessed from the Cross Site Scripting menu and information leakage menu. In security level zero, the page has no defenses. In level 1, the page will use trivial JavaScript validation. In security level 5, the page will refuse to put the secrets in client side storage.

11/13/2011: Jeremy Druin / Kenny Kurtz

Change Log for Mutillidae 2.1.6:

Enhanced the .htaccess file to automatically disable magic quotes on systems which enable them by default (such as some OSX versions of PHP)
Fixed some bugs in the phpinfo.php file that made the page display weird.
Enhanced the hidden PHPINFO page so that it would work if the user browsed to http://localhost/mutillidae/index.php?page=phpinfo.php or to http://localhost/mutillidae/phpinfo.php. This example assumes Mutillidae is running on localhost.
Fixed a bug in index.php that kept the log-visit page from being included.
Fixed a bug in log-visit.php that kept the page from working.
Fixed installation instructions format for IE 8 not in compatibility mode.

11/10/2011: Jeremy Druin

Change Log for Mutillidae 2.1.5:

Added vuln to login sequence. Now a cookie is created with username. Students should try to XSS the cookie and see what happens. Also try a response splitting attack because a cookie is an HTTP header.
Created new twitter feed to make Mutillidae announcements and other web vulnerability tweaks. @webpwnized
Fixed installation instructions format for IE 8 not in compatibility mode

10/14/2011: Jeremy Druin

Change Log for Mutillidae 2.1.4:

Moved usage instructions and php errors from the home page to their own pages.
In insecure mode, changed the method of the user-info.php page to GET in order to make it easier to use sqlmap against Mutillidae. sqlmap supports POST but it is easier to use with GET.
Added hints about sqlmap to sql injection tutorial and to the easter egg file
Added a credit card table as a target in the database
Confirmed that the view-blog table can be attacked with sqlmap. The answer is in the Easter Egg file.

10/13/2011: Jeremy Druin

Change Log for Mutillidae 2.1.3:

Fix a bug. If the user was on the home page, without having clicked any link to this point (such as when using a bookmark), then the user clicked the "change security level", the page would redirect to page not found.
Increased the slide time for the ddsmoothmenu to make it slow down a little bit
Added a NEW vulnerability. Many sites have crazy pages that show server settings, expose admin functionality, allow configuration, or other features a user should not be able to see. The problem is not the pages themselves so much as the fact that developers think no one will guess the name and browse to them. Shoulder surfing, guessing, brute-forcing, etc can be used to find these pages. Mutillidae now has such a page. It is in the "Server Misconfiguration" category. See secret-administrative-pages.php for hints.
Augmented the installation instructions
Added link to ihackcharities to front page
Added a new security level. Now there is security level 1. The only difference in this release between level 0 and level 1 is that level 1 has JS validation. The JS validation has been in place for a while to allow but was activated in level 0. Since level 0 is supposed to be very easy, the decision was made to create level 1 and move JS validation to level 1. The JS validation is trivial to bypass. Simply disable JS or use a proxy such as Tamper Data, Paros, Burp, WebScarab, or others.
Page homenotes.php has been merged with home.php.
Page home.html has been renamed home.php
Added protection for SQL injection to add to your blog.php output of the current users blog entries. Prior to this patch, you could SQL inject in security level 5 by putting your injection in the current users login name because the query uses the current users login name as the input to the query.
Improved the DNS lookup page to add JS validation in security level 1 mode.
Changed padding for BACK button to use styles rather than HTML BR tags.
Changed the password generator password length to 15 to set a better example.
Some refactoring on user-info.php and login.php to clean up code
Added CSRF Protection to page add to your blog. This only works in secure mode.
Added more scripts to the easter egg file (Mutillidae Test Scripts)
Bug fix: The setupandreset.php errors were not printing out.
Stupid bug fix: Removed the "open DB" that was firing before the database was actually created.
Created output on page setupandreset.php to show what happened
Added try/catch and more error handling to setupandreset.php