This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASPBWA Known Vulnerabilites
From OWASP
Revision as of 06:45, 22 October 2010 by Chuck Willis (talk | contribs)
This page is a test of how we may catalog vulnerabilities in the OWASP BWA project.
This page is still in testing. It is likely that putting all these issues on one page will be too large and we'll need to break it into a separate page per application.
Struts Forms
| ID |
Type |
URL |
Details |
| 1 |
Reflected XSS |
http://owaspbwa:8080/mandiant-struts-form-vulnerable/submitname.do |
Visit http://owaspbwa:8080/mandiant-struts-form-vulnerable/submitname.do?name=%3Cscript%3Ealert%281%29%3C/script%3E&submit=Submit to demonstrate this issue. |
| 2 |
|
|
|
Simple ASP.NET Forms
OWASP VicNum
| ID |
Type |
URL |
Details |
| 1 |
Reflected XSS |
http://owaspbwa/vicnum/cgi-bin/vicnum1.pl |
Visit http://owaspbwa/vicnum/cgi-bin/vicnum1.pl?player=Foo%3Cscript%3Ealert%281%29%3C%2Fscript%3E to demonstrate this issue. |
| 2 |
Reflected XSS |
http://owaspbwa/vicnum/vicnum5.php |
To illustrate this issue, send a POST request
player=<script>alert(1)</script> |
| 3 |
State Manipulation |
|
When playing the game, the "correct" answer is stored in Base64 encoded form in a hidden form field named VIEWSTATE. An attacker can decode this value in order to determine the correct answer to the game or manipulate it. |
