Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: OWASP LiveCD Vulnerabilities
From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Sat, 23 May 2009 17:22:18 -0700

Next thing you'll be telling us that Webscarab is a virus :-)



-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-
bounces () lists grok org uk] On Behalf Of Fionnbharr
Sent: Friday, May 22, 2009 9:06 AM
To: Brigette DéFaveur
Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com
Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities

THIS IS A PRETTY FUNNY ADVISORY











HA HA HA

2009/5/22 "Brigette DéFaveur" <blosoft () consultant com>:
**************************    bloSOFT   **************************
Super Wowzer Hacker Team - Professional Vulnerability Assessments

                           BLOsoft Research Team
             ------------------------------------------------
              Base Level Ops Securing Otherwise Fscked Tech!



[POSTING NOTICE]
----------------------------------------------------------------------
----
If you intend on pimping this advisory on your Geocities web page
please
create a clickable link back to our uberhawtness security page and
include
annoying use of the <blink> tag

For more information about Hacking finger condor @well.com

[Advisory Information]
----------------------------------------------------------------------
----
Contact                         : Brigette DéFaveur
Advisory ID                     : BLOSOFT-20090521
Product Name                    : WebGoat
Product Version                 : All versions
Vendor Name                     : OWASP
Type of Vulnerability           : Multiple
Impact                          : Extremely Critical, like wtf
critical
Vendor Notified                 : 20090521

[Product Description]
----------------------------------------------------------------------
----
"The Open Web Application Security Project (OWASP) is a worldwide free
and
open community focused on improving the security of application
software.
Our mission is to make application security visible, so that people
and
organizations can make informed decisions about true application
security
risks."

Taken From:
http://www.owasp.org/index.php/Main_Page


[Technical Summary]
----------------------------------------------------------------------
----
Webgoat is vulnerable to the following attacks:

Cross-site Scripting (XSS)
Access Control
Hidden Form Field Manipulation
Parameter Manipulation
Session Cookies
SQL Injection

While performing our advanced superwowzer hackerfying analysis
discovered
that WebGoat is vulnerable to dozens if not billions of attacks if
they
were attacked by attackers.


[Impact]
----------------------------------------------------------------------
----
[Impact varies from installation to installation]

- Cookie stealing
- Cookie harassing
- Cookie tampering
- Tampering of harassed cookie
- Harassing the thief tampering with cookies
- High level advanced SQL injection (' or 1=1-- )
- High level super advanced XSS <b
onmouseover=alert('bloSOFT')>OMFG</b>
- Improper sanitization of the blink tag


[Proof Of Concept]
----------------------------------------------------------------------
----
Download WebGoat and you too can see the trillions of exploits
affecting
this software. We will not pollute the www with another useless filth
of
a program designed to assist in the manipulation of security


[Vendor Status and Chronology]
----------------------------------------------------------------------
----

Current Vendor Status:  OWASP has to many members that don't matter.

Chronology:
05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered
05/21/2009 07:11:59 AM EST - Vendor Notified
05/21/2009 07:12:18 AM EST - Requested vendor feedback via email
05/21/2009 07:13:23 AM EST - No response from vendor
05/21/2009 07:13:28 AM EST - Began advisory release process


[Solution]
----------------------------------------------------------------------
----
Leave Britney alone


[Disclaimer]
----------------------------------------------------------------------
----
bloSOFT assumes no liability for the use of the information provider
in
this disclosure. This advisory was released in an effort to prove our
worthiness to the I.T. community. Although we may at times attempt to
extort or blackmail companies in order to comply with our view of how
security should be, we make no intelligent assumptions or decisions in
releasing our security advisories.


[Advertisement]
----------------------------------------------------------------------
----
bloSOFT is focused on the core commitment to provide the whole wide
world
with security designs and solutions that fit. Our team consists of
expert
level engineers with an array of experience ranging from eggdrop
shells,
running nmap, re-hashing advisories and securitizing maximized
potential
designs with actionable digital intelligence catering to the
professional
hackers. Should you wish to place us at the top of "security review"
by
using an alias please do so. Although we might not be as elite as
other
companies like Netragard, bear in mind, even ImmunitySec isn't as
elite
or as talented as Netragard.

http://secreview.blogspot.com/


[Greets]
----------------------------------------------------------------------
----
Simone Smithereen - we wub you oh grand masteress
Kevin Finkelstein - we be done havin yo back slap mah fro
Adrien DéFaveur - my brother, I know you didn't blackmail HP!

All the rest - all the best




--
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault