Vicnum 1.5 within OWASPBWA
172 views
Skip to first unread message
Mordecai Kraushar
Jul 25, 2012, 11:09:59 AM7/25/12
to owas...@googlegroups.com
Thanks much Chuck for getting a recently updated Vicnum into the OWASP BWA project at the last minute.
Some minor twists ( i cannot say bugs as this is an intentionally broken app)
- When one first completes a Jotto game within Vicnum one sees the top 10 players which includes one player with a terrible score.That players name is a hint and it would be best not to show it so easily, rather require that player's score to be revealed through an SQL injection. Easy work around is just to populate the jottoresults table with more than 10 results so the terrible score does not readily appear.
- There is also a subtle stored XSS in the new Union Challenge. There is a URL option of ADMIN which if set to Q will dump the query that joined the tables. However that query could have had within it some tags/code that would be executed by the browser. Aside here that stored XSS have posed problems in CTFs with Vicnum where people will enter a name that can rewrite a page and changed results. Typically names with tags will be checked but this one is getting thru. Dont think it is a big deal certainly when ADMIN field is not tampered with but will be reviewing.
Thanks again for your effort.
The project is truly awesome.
Mo
Chuck Willis
Aug 7, 2012, 10:05:27 PM8/7/12
to owas...@googlegroups.com
Hi Mordecai,
Sorry for the slow response and thanks for this info. Other than
populating the jottoresults table, are there changes that I should
make to Vicnum on the VM?
Chuck
Sorry for the slow response and thanks for this info. Other than
populating the jottoresults table, are there changes that I should
make to Vicnum on the VM?
Chuck
Mordecai Kraushar
Aug 7, 2012, 10:14:48 PM8/7/12
to owas...@googlegroups.com, Nicole Becher, fridayg...@gmail.com
hi chuck,
still might be tweaks as i am getting ready for a 9/20 owasp prizo. it will have many owaspbwa mentions for sure.
btw i have cc'ed nicole who has serious skills and has done some heavy vetting of vicnum.
are you looking for more bad web apps? any frameworks?
Chuck Willis
Aug 7, 2012, 11:56:46 PM8/7/12
to owas...@googlegroups.com, Nicole Becher, fridayg...@gmail.com
Ok, no problem. While there are a few bugs in the 1.0 release, there
are not any show stoppers so I'm not planning to make a new release
until September at the earliest.
We are always interested in more bad apps. It would be great to get
some more applications that use frameworks like Spring, Struts2, or
Rails. Even if they are just little demo pages that have a couple
important issues (like XSS and SQLi), I think that they will be
valuable, especially for developer training.
The problem you may run into, however, is that installing modern
versions of the frameworks themselves may not work well since we are
on an older Ubuntu release (10.04 LTS if I recall). I would hope that
you could do a lot of this kind of stuff with older framework versions
from the Ubuntu repository, however.
Chuck
are not any show stoppers so I'm not planning to make a new release
until September at the earliest.
We are always interested in more bad apps. It would be great to get
some more applications that use frameworks like Spring, Struts2, or
Rails. Even if they are just little demo pages that have a couple
important issues (like XSS and SQLi), I think that they will be
valuable, especially for developer training.
The problem you may run into, however, is that installing modern
versions of the frameworks themselves may not work well since we are
on an older Ubuntu release (10.04 LTS if I recall). I would hope that
you could do a lot of this kind of stuff with older framework versions
from the Ubuntu repository, however.
Chuck
Nicole Becher
Aug 10, 2012, 10:48:19 AM8/10/12
to Chuck Willis, owas...@googlegroups.com, Nicole Becher
Hi Chuck-
I was able to get the latest Rails framework working on the existing owaspbwa ubuntu image. I can get a simple rails app working that demonstrates some XSS/SQLi/CSRF/auth & session issues and common rails vulns like mass assignment. Would that be helpful to include? When it's done, I can either snapshot the VM or hand off some step by step command line instructions to get the VM rails-ready.
Anything else you want me to include?
This is a really cool project!
/N
I was able to get the latest Rails framework working on the existing owaspbwa ubuntu image. I can get a simple rails app working that demonstrates some XSS/SQLi/CSRF/auth & session issues and common rails vulns like mass assignment. Would that be helpful to include? When it's done, I can either snapshot the VM or hand off some step by step command line instructions to get the VM rails-ready.
Anything else you want me to include?
This is a really cool project!
/N
Chuck Willis
Aug 10, 2012, 2:49:21 PM8/10/12
to Nicole Becher, Nicole Becher, owas...@googlegroups.com
That is awesome, thanks a bunch. I'm looking forward to playing with that.
If it isn't too complicated, step by step instructions are preferred. For the app(s) or other directories, feel free to provide a tarball(s) and tell me where to extract.
If things are more involved, then you can send me a new VM (based on the 1.0 release).
Chuck
David Sachdev
Aug 10, 2012, 4:56:43 PM8/10/12
to owas...@googlegroups.com, Nicole Becher, fridayg...@gmail.com
Chuck,
We were just talking today about the fact that many web applications are moving towards an Ajax based front-end backed by
Java Rest services.
In the current application I am working on we are using SpringMVC Controllers to provide RESTful services that are consumed by an
ExtJS (JavaScript-based) GUI to provide that richer application feel to the application. I need to look into BWA to see if there is already
an application that uses a similar architecture.
We are working on our own home-grown token based solution to prevent CSRF for this application at the moment, and I realize that
this may be the time to contribute to an OWASP project (that is...if this current app/project gives me the breathing room to work
towards that goal!)
David--
David Sachdev
http://www.innotac.com
http://www.translucent-development.com
http://www.translucent-design.com
We were just talking today about the fact that many web applications are moving towards an Ajax based front-end backed by
Java Rest services.
In the current application I am working on we are using SpringMVC Controllers to provide RESTful services that are consumed by an
ExtJS (JavaScript-based) GUI to provide that richer application feel to the application. I need to look into BWA to see if there is already
an application that uses a similar architecture.
We are working on our own home-grown token based solution to prevent CSRF for this application at the moment, and I realize that
this may be the time to contribute to an OWASP project (that is...if this current app/project gives me the breathing room to work
towards that goal!)
David
David Sachdev
http://www.innotac.com
http://www.translucent-development.com
http://www.translucent-design.com
Reply all
Reply to author
Forward
0 new messages