THIS IS A PRETTY FUNNY ADVISORY
HA HA HA 2009/5/22 "Brigette DéFaveur" <[email protected]>: > ************************** bloSOFT ************************** > Super Wowzer Hacker Team - Professional Vulnerability Assessments > > BLOsoft Research Team > ------------------------------------------------ > Base Level Ops Securing Otherwise Fscked Tech! > > > > [POSTING NOTICE] > -------------------------------------------------------------------------- > If you intend on pimping this advisory on your Geocities web page please > create a clickable link back to our uberhawtness security page and include > annoying use of the <blink> tag > > For more information about Hacking finger condor @well.com > > [Advisory Information] > -------------------------------------------------------------------------- > Contact : Brigette DéFaveur > Advisory ID : BLOSOFT-20090521 > Product Name : WebGoat > Product Version : All versions > Vendor Name : OWASP > Type of Vulnerability : Multiple > Impact : Extremely Critical, like wtf critical > Vendor Notified : 20090521 > > [Product Description] > -------------------------------------------------------------------------- > "The Open Web Application Security Project (OWASP) is a worldwide free and > open community focused on improving the security of application software. > Our mission is to make application security visible, so that people and > organizations can make informed decisions about true application security > risks." > > Taken From: > http://www.owasp.org/index.php/Main_Page > > > [Technical Summary] > -------------------------------------------------------------------------- > Webgoat is vulnerable to the following attacks: > > Cross-site Scripting (XSS) > Access Control > Hidden Form Field Manipulation > Parameter Manipulation > Session Cookies > SQL Injection > > While performing our advanced superwowzer hackerfying analysis discovered > that WebGoat is vulnerable to dozens if not billions of attacks if they > were attacked by attackers. > > > [Impact] > -------------------------------------------------------------------------- > [Impact varies from installation to installation] > > - Cookie stealing > - Cookie harassing > - Cookie tampering > - Tampering of harassed cookie > - Harassing the thief tampering with cookies > - High level advanced SQL injection (' or 1=1-- ) > - High level super advanced XSS <b onmouseover=alert('bloSOFT')>OMFG</b> > - Improper sanitization of the blink tag > > > [Proof Of Concept] > -------------------------------------------------------------------------- > Download WebGoat and you too can see the trillions of exploits affecting > this software. We will not pollute the www with another useless filth of > a program designed to assist in the manipulation of security > > > [Vendor Status and Chronology] > -------------------------------------------------------------------------- > > Current Vendor Status: OWASP has to many members that don't matter. > > Chronology: > 05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered > 05/21/2009 07:11:59 AM EST - Vendor Notified > 05/21/2009 07:12:18 AM EST - Requested vendor feedback via email > 05/21/2009 07:13:23 AM EST - No response from vendor > 05/21/2009 07:13:28 AM EST - Began advisory release process > > > [Solution] > -------------------------------------------------------------------------- > Leave Britney alone > > > [Disclaimer] > -------------------------------------------------------------------------- > bloSOFT assumes no liability for the use of the information provider in > this disclosure. This advisory was released in an effort to prove our > worthiness to the I.T. community. Although we may at times attempt to > extort or blackmail companies in order to comply with our view of how > security should be, we make no intelligent assumptions or decisions in > releasing our security advisories. > > > [Advertisement] > -------------------------------------------------------------------------- > bloSOFT is focused on the core commitment to provide the whole wide world > with security designs and solutions that fit. Our team consists of expert > level engineers with an array of experience ranging from eggdrop shells, > running nmap, re-hashing advisories and securitizing maximized potential > designs with actionable digital intelligence catering to the professional > hackers. Should you wish to place us at the top of "security review" by > using an alias please do so. Although we might not be as elite as other > companies like Netragard, bear in mind, even ImmunitySec isn't as elite > or as talented as Netragard. > > http://secreview.blogspot.com/ > > > [Greets] > -------------------------------------------------------------------------- > Simone Smithereen - we wub you oh grand masteress > Kevin Finkelstein - we be done havin yo back slap mah fro > Adrien DéFaveur - my brother, I know you didn't blackmail HP! > > All the rest - all the best > > > > > -- > Be Yourself @ mail.com! > Choose From 200+ Email Addresses > Get a Free Account at www.mail.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
