Very Very Vulnerable, Inc.
This company doesn't exist. It's just a fiction I created for a talk at Django Boston. Their sprawling web empire is great for the sake of exploring how XSS and CSRF attacks work.
If you're just landing here, check out the slides first. Otherwise, the rest might be a bit confusing.
All the code is at github.com/johnhess/
- Slides (source)
- The variously vulnerable and evil web properties of Very Very Vulnerable, Inc:
- My personal site, used to launch some CSRF attacks (source)
- CSRF Attack against VCWA
- The same CSRF Attack, this time against CSRF-middleware protected SSDA.
- Abusing a "safe" HTTP method to attack SSDA.
- VeryVeryVulnerable.com (source is just a branch of jthess.com)
Looking for some more playgrounds to try out attacks? There are a bunch out there. Here are some I know of and that people have suggested to me.
Here's some reading that helped me make sense of things.