Mutillidae: Born to be Hacked
Version: 2.1.19 Not Logged In
Home Login/Register Toggle Hints Toggle Security Reset DB View Log View Captured Data

OWASP
Site hacked...err...quality-tested with Samurai WTF, Backtrack, Firefox, Burp-Suite, Netcat, and these Mozilla Add-ons
 
 
Twitter
@webpwnized
 
YouTube
Mutillidae
Channel
 
Developed by Adrian "Irongeek" Crenshaw and Jeremy Druin
Password Generator
Password Generator
Making strong passwords is important.
Click the button below to generate a password.
Hints
  • JavaScript Injection:JS injection is closely related to HTML injection and Cross Site Scripting. All are a violation of context in which the input is able to break out of the current context and switch to another context. Alternatively an injection may stay in the current context but modify the source code.
  • An example of breaking context is injecting script tags into HTML output. The developer believes the context should be HTML (perhaps a table), but the input of script tags (with embedded script) causes the browser to stop processing HTML and switch to processing script. The context switch occurs when the browser stops executing the HTML instructions and instead executes the JS.
  • Injection within context could be injecting HTML into HTML output. Although the page source code is altered, the context remains the same.
  • The defect on this page which allows JS injection does not break out of context.
  • The JS that builds the password is a diversion. The injection point is elsewhere.
  • To find the injection, you need a canary. First, identify the input. Does this page take input from a form, URL parameter, cookie, or other input? HTTPFox is a good tool to see all the input as you "GET" a page (the request) and all the output the server responds with (the response).
  • Once you find the page input, try injecting a simple canary like "CANARY-INPUT-1" then search the resulting page to see where the canary showed up.
  • Searching for a canary on the actual browser output is not a good idea. Use the browsers "view source" to see the "real" response. Tools like HTTPFox are great for this as well. Tools with more features like Burp are even better but have more of a learning curve. Burp will remember the source of each page you visit as you spider the site.
  • Once the canary(ies) is located, identify what characters need to be injected to "end" the current instruction. Identify the characters that are needed to block out any instruction that comes after the canary. Put your injection in the middle.
Browser: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
PHP Version: 5.2.4-2ubuntu5.10
The newest version of Mutillidae can downloaded from Irongeek's Site