Monday, May 23, 2011

PuzzleMall - A vulnerable web application for practicing session puzzling

The project generally consists of two parts:

(1) The first sub-project is a paper & presentation on a new application level attack (session puzzle), that can "compete" with attacks such as SQL Injection & XSS, or alternatively, enhance them and enable them to bypass all the commonly used input validation mechanisms (by causing the attack to originate from internal resources, instead of external).

The new attack vector was presented in a local OWASP chapter meeting (7 days ago), and two scanner vendors that attended the lecture expressed their interest to develop a plugin that detects the new attack.

It's new, unknown to many and could probably interest a wide audience.

The paper & presentation could be obtained from the following address:

(2) The second sub-project is a new vulnerable web application designed for practicing session puzzling (locating session puzzle exposures).
The application is easy to install, contains mostly session puzzle exposures, and can be accessed in the following URL:

No comments: