Hacme Bank has both reflective and stored XSS already so what you are asking
for is already there.
We will have a new version due out around Jan 2005. I am taking feature
requests ;-)
-----Original Message-----
From: CFW [mailto:cfw_security@comcast.net]
Sent: Friday, November 05, 2004 4:33 PM
To: webappsec@securityfocus.com
Subject: Looking for a Web Application Vulnerable to XSS Cookie Grab
Hi all,
I am setting up a lab to learn about web application security and I have
been messing with WebGoat and Foundstone's HacmeBank and found them to be
very useful learning tools. One thing lacking in them (from what I can
tell) is a multiuser, XSS Cookie Grabbing example.
Basically, I would like to have a little application (or part of one of
these applications) that one (malicious) user can log in to and post a XSS
cookie grabber to a forum or guestbook or something. Then, the attacker
fires up a listener until another user logs in and hits the script, sending
the cookies to the listener. Then, the first user can change his cookies,
and see clearly that the web application thinks it is the second user. Does
anyone know of such an application?
The Foundstone Hacme Bank is almost there in that it has a "Post
Message" section that is vulnerable to XSS, but it is set up so that each
user sees only their own messages, so it is not possible to post a malicious
script to someone else. If the Foundstone people are reading this, have you
considered changing this behavior?
While I am asking, are there any other web applications like these that
I should set up? I looked at WebMaven, but it looks like that has been
overtaken by Hacme and Webgoat (correct me if I am wrong). Someone
mentioned a while back on pen-test that you could use an old version of
PHP-Nuke as a vulnerable site since it has a lot of known issues. Has
anyone done this and have any hints on what version is the most useful in
this respect (most vulnerable I guess)?
Thanks a bunch and have a good weekend.
Chuck
