RE: Looking for a Web Application Vulnerable to XSS Cookie Grab

["Mike Andrews" <mike () se fit edu>]

I've got a web application with lots of flaws built in that I use to
demonstrate to students and let them loose on finding vulnerabilities
themselves.  Hopefully it will be useful to you.

It's hosted at http://crash.se.fit.edu/hackerland/ which you can have a
quick play with, but as there's real vulnerabilities I'd prefer you grab the
code at http://www.bug-box.net/projects/hackerland.zip and install it on
your own servers somewhere that's not internet accessible then go to the
admin page and add some flowers (the images are included, but not the
text/price - I should really update the create_db file to add some records).
Let me know if you need any help.

Cheers,
Mike.

====================================================================
Mike Andrews  (mike () se fit edu)                 Assistant Professor,
http://www.se.fit.edu/people/mike/  Florida Institute of Technology.
====================================================================

> -----Original Message-----
> From: CFW [mailto:cfw_security () comcast net]
> Sent: Friday, November 05, 2004 4:33 PM
> To: webappsec () securityfocus com
> Subject: Looking for a Web Application Vulnerable to XSS Cookie Grab
>
> Hi all,
>
>     I am setting up a lab to learn about web application security and I
> have been messing with WebGoat and Foundstone's HacmeBank and found them
> to be very useful learning tools.  One thing lacking in them (from what
> I can tell) is a multiuser, XSS Cookie Grabbing example.
>
>     Basically, I would like to have a little application (or part of one
> of these applications) that one (malicious) user can log in to and post
> a XSS cookie grabber to a forum or guestbook or something.  Then, the
> attacker fires up a listener until another user logs in and hits the
> script, sending the cookies to the listener.  Then, the first user can
> change his cookies, and see clearly that the web application thinks it
> is the second user.  Does anyone know of such an application?
>
>     The Foundstone Hacme Bank is almost there in that it has a "Post
> Message" section that is vulnerable to XSS, but it is set up so that
> each user sees only their own messages, so it is not possible to post a
> malicious script to someone else.  If the Foundstone people are reading
> this, have you considered changing this behavior?
>
>     While I am asking, are there any other web applications like these
> that I should set up?  I looked at WebMaven, but it looks like that has
> been overtaken by Hacme and Webgoat (correct me if I am wrong).  Someone
> mentioned a while back on pen-test that you could use an old version of
> PHP-Nuke as a vulnerable site since it has a lot of known issues.  Has
> anyone done this and have any hints on what version is the most useful
> in this respect (most vulnerable I guess)?
>
>     Thanks a bunch and have a good weekend.
>
> Chuck