[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] OWASP LiveCD Vulnerabilities



LOL, I thought that the point of that live cd was training for pen-testing.

very funny.

Haj.-

2009/5/23 Tomas L. Byrnes <tomb@xxxxxxxxxxx>

> Next thing you'll be telling us that Webscarab is a virus :-)
>
>
>
> >-----Original Message-----
> >From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-disclosure-
> >bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Fionnbharr
> >Sent: Friday, May 22, 2009 9:06 AM
> >To: Brigette DéFaveur
> >Cc: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> >Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities
> >
> >THIS IS A PRETTY FUNNY ADVISORY
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >HA HA HA
> >
> >2009/5/22 "Brigette DéFaveur" <blosoft@xxxxxxxxxxxxxx>:
> >> **************************    bloSOFT   **************************
> >> Super Wowzer Hacker Team - Professional Vulnerability Assessments
> >>
> >>                            BLOsoft Research Team
> >>              ------------------------------------------------
> >>               Base Level Ops Securing Otherwise Fscked Tech!
> >>
> >>
> >>
> >> [POSTING NOTICE]
> >> ----------------------------------------------------------------------
> >----
> >> If you intend on pimping this advisory on your Geocities web page
> >please
> >> create a clickable link back to our uberhawtness security page and
> >include
> >> annoying use of the <blink> tag
> >>
> >> For more information about Hacking finger condor @well.com
> >>
> >> [Advisory Information]
> >> ----------------------------------------------------------------------
> >----
> >> Contact                         : Brigette DéFaveur
> >> Advisory ID                     : BLOSOFT-20090521
> >> Product Name                    : WebGoat
> >> Product Version                 : All versions
> >> Vendor Name                     : OWASP
> >> Type of Vulnerability           : Multiple
> >> Impact                          : Extremely Critical, like wtf
> >critical
> >> Vendor Notified                 : 20090521
> >>
> >> [Product Description]
> >> ----------------------------------------------------------------------
> >----
> >> "The Open Web Application Security Project (OWASP) is a worldwide free
> >and
> >> open community focused on improving the security of application
> >software.
> >> Our mission is to make application security visible, so that people
> >and
> >> organizations can make informed decisions about true application
> >security
> >> risks."
> >>
> >> Taken From:
> >> http://www.owasp.org/index.php/Main_Page
> >>
> >>
> >> [Technical Summary]
> >> ----------------------------------------------------------------------
> >----
> >> Webgoat is vulnerable to the following attacks:
> >>
> >> Cross-site Scripting (XSS)
> >> Access Control
> >> Hidden Form Field Manipulation
> >> Parameter Manipulation
> >> Session Cookies
> >> SQL Injection
> >>
> >> While performing our advanced superwowzer hackerfying analysis
> >discovered
> >> that WebGoat is vulnerable to dozens if not billions of attacks if
> >they
> >> were attacked by attackers.
> >>
> >>
> >> [Impact]
> >> ----------------------------------------------------------------------
> >----
> >> [Impact varies from installation to installation]
> >>
> >> - Cookie stealing
> >> - Cookie harassing
> >> - Cookie tampering
> >> - Tampering of harassed cookie
> >> - Harassing the thief tampering with cookies
> >> - High level advanced SQL injection (' or 1=1-- )
> >> - High level super advanced XSS <b
> >onmouseover=alert('bloSOFT')>OMFG</b>
> >> - Improper sanitization of the blink tag
> >>
> >>
> >> [Proof Of Concept]
> >> ----------------------------------------------------------------------
> >----
> >> Download WebGoat and you too can see the trillions of exploits
> >affecting
> >> this software. We will not pollute the www with another useless filth
> >of
> >> a program designed to assist in the manipulation of security
> >>
> >>
> >> [Vendor Status and Chronology]
> >> ----------------------------------------------------------------------
> >----
> >>
> >> Current Vendor Status:  OWASP has to many members that don't matter.
> >>
> >> Chronology:
> >> 05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered
> >> 05/21/2009 07:11:59 AM EST - Vendor Notified
> >> 05/21/2009 07:12:18 AM EST - Requested vendor feedback via email
> >> 05/21/2009 07:13:23 AM EST - No response from vendor
> >> 05/21/2009 07:13:28 AM EST - Began advisory release process
> >>
> >>
> >> [Solution]
> >> ----------------------------------------------------------------------
> >----
> >> Leave Britney alone
> >>
> >>
> >> [Disclaimer]
> >> ----------------------------------------------------------------------
> >----
> >> bloSOFT assumes no liability for the use of the information provider
> >in
> >> this disclosure. This advisory was released in an effort to prove our
> >> worthiness to the I.T. community. Although we may at times attempt to
> >> extort or blackmail companies in order to comply with our view of how
> >> security should be, we make no intelligent assumptions or decisions in
> >> releasing our security advisories.
> >>
> >>
> >> [Advertisement]
> >> ----------------------------------------------------------------------
> >----
> >> bloSOFT is focused on the core commitment to provide the whole wide
> >world
> >> with security designs and solutions that fit. Our team consists of
> >expert
> >> level engineers with an array of experience ranging from eggdrop
> >shells,
> >> running nmap, re-hashing advisories and securitizing maximized
> >potential
> >> designs with actionable digital intelligence catering to the
> >professional
> >> hackers. Should you wish to place us at the top of "security review"
> >by
> >> using an alias please do so. Although we might not be as elite as
> >other
> >> companies like Netragard, bear in mind, even ImmunitySec isn't as
> >elite
> >> or as talented as Netragard.
> >>
> >> http://secreview.blogspot.com/
> >>
> >>
> >> [Greets]
> >> ----------------------------------------------------------------------
> >----
> >> Simone Smithereen - we wub you oh grand masteress
> >> Kevin Finkelstein - we be done havin yo back slap mah fro
> >> Adrien DéFaveur - my brother, I know you didn't blackmail HP!
> >>
> >> All the rest - all the best
> >>
> >>
> >>
> >>
> >> --
> >> Be Yourself @ mail.com!
> >> Choose From 200+ Email Addresses
> >> Get a Free Account at www.mail.com
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/