LOL, I thought that the point of that live cd was training for pen-testing.
very funny. Haj.- 2009/5/23 Tomas L. Byrnes <[email protected]> > Next thing you'll be telling us that Webscarab is a virus :-) > > > > >-----Original Message----- > >From: [email protected] [mailto:full-disclosure- > >[email protected]] On Behalf Of Fionnbharr > >Sent: Friday, May 22, 2009 9:06 AM > >To: Brigette DéFaveur > >Cc: [email protected]; [email protected] > >Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities > > > >THIS IS A PRETTY FUNNY ADVISORY > > > > > > > > > > > > > > > > > > > > > > > >HA HA HA > > > >2009/5/22 "Brigette DéFaveur" <[email protected]>: > >> ************************** bloSOFT ************************** > >> Super Wowzer Hacker Team - Professional Vulnerability Assessments > >> > >> BLOsoft Research Team > >> ------------------------------------------------ > >> Base Level Ops Securing Otherwise Fscked Tech! > >> > >> > >> > >> [POSTING NOTICE] > >> ---------------------------------------------------------------------- > >---- > >> If you intend on pimping this advisory on your Geocities web page > >please > >> create a clickable link back to our uberhawtness security page and > >include > >> annoying use of the <blink> tag > >> > >> For more information about Hacking finger condor @well.com > >> > >> [Advisory Information] > >> ---------------------------------------------------------------------- > >---- > >> Contact : Brigette DéFaveur > >> Advisory ID : BLOSOFT-20090521 > >> Product Name : WebGoat > >> Product Version : All versions > >> Vendor Name : OWASP > >> Type of Vulnerability : Multiple > >> Impact : Extremely Critical, like wtf > >critical > >> Vendor Notified : 20090521 > >> > >> [Product Description] > >> ---------------------------------------------------------------------- > >---- > >> "The Open Web Application Security Project (OWASP) is a worldwide free > >and > >> open community focused on improving the security of application > >software. > >> Our mission is to make application security visible, so that people > >and > >> organizations can make informed decisions about true application > >security > >> risks." > >> > >> Taken From: > >> http://www.owasp.org/index.php/Main_Page > >> > >> > >> [Technical Summary] > >> ---------------------------------------------------------------------- > >---- > >> Webgoat is vulnerable to the following attacks: > >> > >> Cross-site Scripting (XSS) > >> Access Control > >> Hidden Form Field Manipulation > >> Parameter Manipulation > >> Session Cookies > >> SQL Injection > >> > >> While performing our advanced superwowzer hackerfying analysis > >discovered > >> that WebGoat is vulnerable to dozens if not billions of attacks if > >they > >> were attacked by attackers. > >> > >> > >> [Impact] > >> ---------------------------------------------------------------------- > >---- > >> [Impact varies from installation to installation] > >> > >> - Cookie stealing > >> - Cookie harassing > >> - Cookie tampering > >> - Tampering of harassed cookie > >> - Harassing the thief tampering with cookies > >> - High level advanced SQL injection (' or 1=1-- ) > >> - High level super advanced XSS <b > >onmouseover=alert('bloSOFT')>OMFG</b> > >> - Improper sanitization of the blink tag > >> > >> > >> [Proof Of Concept] > >> ---------------------------------------------------------------------- > >---- > >> Download WebGoat and you too can see the trillions of exploits > >affecting > >> this software. We will not pollute the www with another useless filth > >of > >> a program designed to assist in the manipulation of security > >> > >> > >> [Vendor Status and Chronology] > >> ---------------------------------------------------------------------- > >---- > >> > >> Current Vendor Status: OWASP has to many members that don't matter. > >> > >> Chronology: > >> 05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered > >> 05/21/2009 07:11:59 AM EST - Vendor Notified > >> 05/21/2009 07:12:18 AM EST - Requested vendor feedback via email > >> 05/21/2009 07:13:23 AM EST - No response from vendor > >> 05/21/2009 07:13:28 AM EST - Began advisory release process > >> > >> > >> [Solution] > >> ---------------------------------------------------------------------- > >---- > >> Leave Britney alone > >> > >> > >> [Disclaimer] > >> ---------------------------------------------------------------------- > >---- > >> bloSOFT assumes no liability for the use of the information provider > >in > >> this disclosure. This advisory was released in an effort to prove our > >> worthiness to the I.T. community. Although we may at times attempt to > >> extort or blackmail companies in order to comply with our view of how > >> security should be, we make no intelligent assumptions or decisions in > >> releasing our security advisories. > >> > >> > >> [Advertisement] > >> ---------------------------------------------------------------------- > >---- > >> bloSOFT is focused on the core commitment to provide the whole wide > >world > >> with security designs and solutions that fit. Our team consists of > >expert > >> level engineers with an array of experience ranging from eggdrop > >shells, > >> running nmap, re-hashing advisories and securitizing maximized > >potential > >> designs with actionable digital intelligence catering to the > >professional > >> hackers. Should you wish to place us at the top of "security review" > >by > >> using an alias please do so. Although we might not be as elite as > >other > >> companies like Netragard, bear in mind, even ImmunitySec isn't as > >elite > >> or as talented as Netragard. > >> > >> http://secreview.blogspot.com/ > >> > >> > >> [Greets] > >> ---------------------------------------------------------------------- > >---- > >> Simone Smithereen - we wub you oh grand masteress > >> Kevin Finkelstein - we be done havin yo back slap mah fro > >> Adrien DéFaveur - my brother, I know you didn't blackmail HP! > >> > >> All the rest - all the best > >> > >> > >> > >> > >> -- > >> Be Yourself @ mail.com! > >> Choose From 200+ Email Addresses > >> Get a Free Account at www.mail.com > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > > > >_______________________________________________ > >Full-Disclosure - We believe in it. > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
