Full Disclosure mailing list archives
Re: OWASP LiveCD Vulnerabilities
From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Sat, 23 May 2009 17:22:18 -0700
Next thing you'll be telling us that Webscarab is a virus :-)
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure- bounces () lists grok org uk] On Behalf Of Fionnbharr Sent: Friday, May 22, 2009 9:06 AM To: Brigette DéFaveur Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities THIS IS A PRETTY FUNNY ADVISORY HA HA HA 2009/5/22 "Brigette DéFaveur" <blosoft () consultant com>:************************** bloSOFT ************************** Super Wowzer Hacker Team - Professional Vulnerability Assessments BLOsoft Research Team ------------------------------------------------ Base Level Ops Securing Otherwise Fscked Tech! [POSTING NOTICE] --------------------------------------------------------------------------If you intend on pimping this advisory on your Geocities web pagepleasecreate a clickable link back to our uberhawtness security page andincludeannoying use of the <blink> tag For more information about Hacking finger condor @well.com [Advisory Information] --------------------------------------------------------------------------Contact : Brigette DéFaveur Advisory ID : BLOSOFT-20090521 Product Name : WebGoat Product Version : All versions Vendor Name : OWASP Type of Vulnerability : Multiple Impact : Extremely Critical, like wtfcriticalVendor Notified : 20090521 [Product Description] --------------------------------------------------------------------------"The Open Web Application Security Project (OWASP) is a worldwide freeandopen community focused on improving the security of applicationsoftware.Our mission is to make application security visible, so that peopleandorganizations can make informed decisions about true applicationsecurityrisks." Taken From: http://www.owasp.org/index.php/Main_Page [Technical Summary] --------------------------------------------------------------------------Webgoat is vulnerable to the following attacks: Cross-site Scripting (XSS) Access Control Hidden Form Field Manipulation Parameter Manipulation Session Cookies SQL Injection While performing our advanced superwowzer hackerfying analysisdiscoveredthat WebGoat is vulnerable to dozens if not billions of attacks iftheywere attacked by attackers. [Impact] --------------------------------------------------------------------------[Impact varies from installation to installation] - Cookie stealing - Cookie harassing - Cookie tampering - Tampering of harassed cookie - Harassing the thief tampering with cookies - High level advanced SQL injection (' or 1=1-- ) - High level super advanced XSS <bonmouseover=alert('bloSOFT')>OMFG</b>- Improper sanitization of the blink tag [Proof Of Concept] --------------------------------------------------------------------------Download WebGoat and you too can see the trillions of exploitsaffectingthis software. We will not pollute the www with another useless filthofa program designed to assist in the manipulation of security [Vendor Status and Chronology] --------------------------------------------------------------------------Current Vendor Status: OWASP has to many members that don't matter. Chronology: 05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered 05/21/2009 07:11:59 AM EST - Vendor Notified 05/21/2009 07:12:18 AM EST - Requested vendor feedback via email 05/21/2009 07:13:23 AM EST - No response from vendor 05/21/2009 07:13:28 AM EST - Began advisory release process [Solution] --------------------------------------------------------------------------Leave Britney alone [Disclaimer] --------------------------------------------------------------------------bloSOFT assumes no liability for the use of the information providerinthis disclosure. This advisory was released in an effort to prove our worthiness to the I.T. community. Although we may at times attempt to extort or blackmail companies in order to comply with our view of how security should be, we make no intelligent assumptions or decisions in releasing our security advisories. [Advertisement] --------------------------------------------------------------------------bloSOFT is focused on the core commitment to provide the whole wideworldwith security designs and solutions that fit. Our team consists ofexpertlevel engineers with an array of experience ranging from eggdropshells,running nmap, re-hashing advisories and securitizing maximizedpotentialdesigns with actionable digital intelligence catering to theprofessionalhackers. Should you wish to place us at the top of "security review"byusing an alias please do so. Although we might not be as elite asothercompanies like Netragard, bear in mind, even ImmunitySec isn't aseliteor as talented as Netragard. http://secreview.blogspot.com/ [Greets] --------------------------------------------------------------------------Simone Smithereen - we wub you oh grand masteress Kevin Finkelstein - we be done havin yo back slap mah fro Adrien DéFaveur - my brother, I know you didn't blackmail HP! All the rest - all the best -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OWASP LiveCD Vulnerabilities Brigette DéFaveur (May 22)
- Re: OWASP LiveCD Vulnerabilities Fionnbharr (May 22)
- Re: OWASP LiveCD Vulnerabilities Tomas L. Byrnes (May 23)
- Re: OWASP LiveCD Vulnerabilities Herman A. Junge (May 23)
- Re: OWASP LiveCD Vulnerabilities Tomas L. Byrnes (May 23)
- Re: OWASP LiveCD Vulnerabilities Fionnbharr (May 22)