Mutillidae: Born to be Hacked
|
|
|
|
Site hacked...err...quality-tested with Samurai WTF, Backtrack, Firefox, Burp-Suite, Netcat, and
these Mozilla Add-ons
Developed by Adrian " Irongeek" Crenshaw and Jeremy Druin |
Register for an Account
|
- For XSS:XSS is easy stuff. This one shows off stored XSS (someone can
run across it later in another app that uses the same database). Check out
the "User Info" page for the results of this stored XSS.
"<script>alert("XSS");</script>" is the classic XSS demo, but
there are far more interesting things you could do which I plan show in a
video later. Also, check out
Rsnake's XSS Cheet Sheet
for more ways you can encode XSS attacks that may allow you to get around
some filters.
- For SQL Injection: Mostly errors, but they reveal too much information about
the application.
-
Try SQL injection probing by entering single-quotes, double-quotes,
paranthesis, double-dash (--), hyphen-asterik (/*), and
closing-parenthesis-hyphen-hyphen ()--)
|
|
Back