Next thing you'll be telling us that Webscarab is a virus :-)
>-----Original Message----- >From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- >boun...@lists.grok.org.uk] On Behalf Of Fionnbharr >Sent: Friday, May 22, 2009 9:06 AM >To: Brigette DéFaveur >Cc: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com >Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities > >THIS IS A PRETTY FUNNY ADVISORY > > > > > > > > > > > >HA HA HA > >2009/5/22 "Brigette DéFaveur" <blos...@consultant.com>: >> ************************** bloSOFT ************************** >> Super Wowzer Hacker Team - Professional Vulnerability Assessments >> >> BLOsoft Research Team >> ------------------------------------------------ >> Base Level Ops Securing Otherwise Fscked Tech! >> >> >> >> [POSTING NOTICE] >> ---------------------------------------------------------------------- >---- >> If you intend on pimping this advisory on your Geocities web page >please >> create a clickable link back to our uberhawtness security page and >include >> annoying use of the <blink> tag >> >> For more information about Hacking finger condor @well.com >> >> [Advisory Information] >> ---------------------------------------------------------------------- >---- >> Contact : Brigette DéFaveur >> Advisory ID : BLOSOFT-20090521 >> Product Name : WebGoat >> Product Version : All versions >> Vendor Name : OWASP >> Type of Vulnerability : Multiple >> Impact : Extremely Critical, like wtf >critical >> Vendor Notified : 20090521 >> >> [Product Description] >> ---------------------------------------------------------------------- >---- >> "The Open Web Application Security Project (OWASP) is a worldwide free >and >> open community focused on improving the security of application >software. >> Our mission is to make application security visible, so that people >and >> organizations can make informed decisions about true application >security >> risks." >> >> Taken From: >> http://www.owasp.org/index.php/Main_Page >> >> >> [Technical Summary] >> ---------------------------------------------------------------------- >---- >> Webgoat is vulnerable to the following attacks: >> >> Cross-site Scripting (XSS) >> Access Control >> Hidden Form Field Manipulation >> Parameter Manipulation >> Session Cookies >> SQL Injection >> >> While performing our advanced superwowzer hackerfying analysis >discovered >> that WebGoat is vulnerable to dozens if not billions of attacks if >they >> were attacked by attackers. >> >> >> [Impact] >> ---------------------------------------------------------------------- >---- >> [Impact varies from installation to installation] >> >> - Cookie stealing >> - Cookie harassing >> - Cookie tampering >> - Tampering of harassed cookie >> - Harassing the thief tampering with cookies >> - High level advanced SQL injection (' or 1=1-- ) >> - High level super advanced XSS <b >onmouseover=alert('bloSOFT')>OMFG</b> >> - Improper sanitization of the blink tag >> >> >> [Proof Of Concept] >> ---------------------------------------------------------------------- >---- >> Download WebGoat and you too can see the trillions of exploits >affecting >> this software. We will not pollute the www with another useless filth >of >> a program designed to assist in the manipulation of security >> >> >> [Vendor Status and Chronology] >> ---------------------------------------------------------------------- >---- >> >> Current Vendor Status: OWASP has to many members that don't matter. >> >> Chronology: >> 05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered >> 05/21/2009 07:11:59 AM EST - Vendor Notified >> 05/21/2009 07:12:18 AM EST - Requested vendor feedback via email >> 05/21/2009 07:13:23 AM EST - No response from vendor >> 05/21/2009 07:13:28 AM EST - Began advisory release process >> >> >> [Solution] >> ---------------------------------------------------------------------- >---- >> Leave Britney alone >> >> >> [Disclaimer] >> ---------------------------------------------------------------------- >---- >> bloSOFT assumes no liability for the use of the information provider >in >> this disclosure. This advisory was released in an effort to prove our >> worthiness to the I.T. community. Although we may at times attempt to >> extort or blackmail companies in order to comply with our view of how >> security should be, we make no intelligent assumptions or decisions in >> releasing our security advisories. >> >> >> [Advertisement] >> ---------------------------------------------------------------------- >---- >> bloSOFT is focused on the core commitment to provide the whole wide >world >> with security designs and solutions that fit. Our team consists of >expert >> level engineers with an array of experience ranging from eggdrop >shells, >> running nmap, re-hashing advisories and securitizing maximized >potential >> designs with actionable digital intelligence catering to the >professional >> hackers. Should you wish to place us at the top of "security review" >by >> using an alias please do so. Although we might not be as elite as >other >> companies like Netragard, bear in mind, even ImmunitySec isn't as >elite >> or as talented as Netragard. >> >> http://secreview.blogspot.com/ >> >> >> [Greets] >> ---------------------------------------------------------------------- >---- >> Simone Smithereen - we wub you oh grand masteress >> Kevin Finkelstein - we be done havin yo back slap mah fro >> Adrien DéFaveur - my brother, I know you didn't blackmail HP! >> >> All the rest - all the best >> >> >> >> >> -- >> Be Yourself @ mail.com! >> Choose From 200+ Email Addresses >> Get a Free Account at www.mail.com >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
