You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thought I'd leave this here in case anyone else came across this issue...
I'm running a kali linux vm with the citizenstig/nowasp image for reference.
I came across an issue with OWASP 2017 -> A1 Injection (Other) -> JavaScript Object Notation (JSON) Injection -> Pen Test Lookup (AJAX). When clicking the Lookup Tool the page does not display anything indicating an ajax response. I ran it through an intercept proxy (burpsuite) and saw I was actually getting a 404 error referencing an expected php file located at /mutillidae/ajax/pen-test-lookup-ajax.php (note that in this docker build, mutillidae was put in the /app directory and not /mutillidae)
I found that /app/pen-test-tool-lookup-ajax.php has a variable lURL that's set to /mutillidae/ajax/pen-test-lookup-ajax.php - it just needs to be changed to /ajax/pen-test-lookup-ajax.php.
I used the following docker exec commands to make the change:
docker exec NAME sh -c "sed -i 's:/mutillidae/ajax:/ajax:g' /app/pen-test-tool-lookup-ajax.php"
docker exec NAME sh -c "service apache2 restart"
I know it's not the most exciting exercise, but it was a quick fix. I haven't looked, but there may also be other instances of this issue scattered about.
The text was updated successfully, but these errors were encountered:
Thought I'd leave this here in case anyone else came across this issue...
I'm running a kali linux vm with the citizenstig/nowasp image for reference.
I came across an issue with OWASP 2017 -> A1 Injection (Other) -> JavaScript Object Notation (JSON) Injection -> Pen Test Lookup (AJAX). When clicking the Lookup Tool the page does not display anything indicating an ajax response. I ran it through an intercept proxy (burpsuite) and saw I was actually getting a 404 error referencing an expected php file located at /mutillidae/ajax/pen-test-lookup-ajax.php (note that in this docker build, mutillidae was put in the /app directory and not /mutillidae)
I found that /app/pen-test-tool-lookup-ajax.php has a variable lURL that's set to /mutillidae/ajax/pen-test-lookup-ajax.php - it just needs to be changed to /ajax/pen-test-lookup-ajax.php.
I used the following docker exec commands to make the change:
docker exec NAME sh -c "sed -i 's:/mutillidae/ajax:/ajax:g' /app/pen-test-tool-lookup-ajax.php"
docker exec NAME sh -c "service apache2 restart"
I know it's not the most exciting exercise, but it was a quick fix. I haven't looked, but there may also be other instances of this issue scattered about.
The text was updated successfully, but these errors were encountered: