This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASPBWA Known Vulnerabilites
From OWASP
Revision as of 06:38, 22 October 2010 by Chuck Willis (talk | contribs)
This page is a test of how we may catalog vulnerabilities in the OWASP BWA project.
Struts Forms
| ID |
Type |
URL |
Details |
| 1 |
Reflected XSS |
http://owaspbwa:8080/mandiant-struts-form-vulnerable/submitname.do |
Visit http://owaspbwa:8080/mandiant-struts-form-vulnerable/submitname.do?name=%3Cscript%3Ealert%281%29%3C/script%3E&submit=Submit to demonstrate this issue. |
| 2 |
|
|
|
Simple ASP.NET Forms
OWASP VicNum
| ID |
Type |
URL |
Details |
| 1 |
Reflected XSS |
http://owaspbwa/vicnum/cgi-bin/vicnum1.pl |
Visit http://owaspbwa/vicnum/cgi-bin/vicnum1.pl?player=Foo%3Cscript%3Ealert%281%29%3C%2Fscript%3E to demonstrate this issue. |
| 2 |
Reflected XSS |
http://owaspbwa/vicnum/vicnum5.php |
To illustrate this issue, send a POST request
player=<script>alert(1)</script> |
| 3 |
State Manipulation |
|
When playing the game, the "correct" answer is stored in Base64 encoded form in a hidden form field named VIEWSTATE. An attacker can decode this value in order to determine the correct answer to the game or manipulate it. |
