> about
Vulnerabilities
The main page contains the following vulnerabilities.
VULNERABILITY | VIA |
---|---|
Cache Poisoning | Coming soon! |
Cookie Injection | cookies |
CORS Bypass | header |
CSRF | header injection |
CSS Injection | css, css2 |
Header Injection | cookie and header |
Response splitting | cookie and header |
Template Injection | Jinja in most fields |
XSS | practically everywhere |
Secret Types
The main page contains the following secrets.
SECRET | LOCATION |
---|---|
SECRET_KITTEN | Cookie(secure) |
SECRET_GUPPY | Hidden Input |
SECRET_SQUIRREL | In BODY |
SECRET_MONKEY | Session Storage |
SECRET_AGENT | Cookie(HTTP only) |
SECRET_SAMURAI | HTTP header |
SECRET_PANDA | Server Side Local Variable |
SECRET_NINJA | Server Side Global Variable |
SECRET_UNICORN | Server Environmental Variable |
Why?
I got bored while creating yet another one-off test page to try out an attack technique, I decided to make a page that contains all the major vulnerabilities that can safely be hosted on a third party host. It also stores a bunch of secrets in the usual places so there's something to compromise. This is a work in progress, let me know if there's a change you'd like to see made. You can view the source code if you're curious what's happening server side (hint: not much).