RPI Labs: OWASP Mutillidae II
|
Version: 2.11.14 Security Level: 0 (Hosed)
Hints: Enabled
Not Logged In
|
Home
|
Login/Register |
Toggle Hints | Toggle Security
|
Enforce TLS
|
Reset DB
|
View Log
|
View Captured Data
|
|
Privilege Escalation
|
Cookies |
|
Some sites keep authentication and/or authorization tokens in the
user-agent (i.e. browser, phone, tablet). This gives the user (and XSS)
large amounts of control over these tokens.
For privilege escalation via cookies, alter the cookie values and monitor the
effect. Also, regsiter for two (or more) accounts, log into both, and note any
differences between the respective cookies.
|
|
SQL Injection |
|
Login pages can be vulnerable to SQL injection such that a password
or possibly a username is required to authenticate.
|
|
Brute Force |
|
THC Hydra (http://www.thc.org/thc-hydra) and Burp Suite can be used to guess usernames and passwords quickly.
Both tools can attempt to log into sites and report the result.
|
|
Secret Adminnistrative Pages |
|
Built in pages can sometimes be accessed without a login or using
privilege escalation. These pages can grant administrative authority
to create other admin accounts.
|
|
|
Browser: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
PHP Version: 8.1.27 |