Scribd Logo
Importer

Bienvenue sur Scribd !

  • Install and Attack DVWA for Web App Security Testing

    Transféré par

    rutvikmehta
    269 vues24 pages
    DVWA

    Titre original

    Damn Vulnerable Web Applications

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PPTX, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    DVWA

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPTX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    269 vues24 pages

    Install and Attack DVWA for Web App Security Testing

    Transféré par

    rutvikmehta
    DVWA

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPTX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 24

    Damn Vulnerable

    Web Application

    OutLine
    How to install and run DVWA
    Brute Force
    Running some basic commands
    CSRF
    File inclusion
    Exploit a some SQL Injection attacks
    Upload a malicious file
    Exploit an XSS attack

    Introduction
    DVWA is a PHP/MySQL web application that
    is damn vulnerable to most common web
    attacks.
    The main goals are:

    to be an aid for security professionals to test their


    skills and tools in a legal environment.
    to help web developers better understand the
    processes of securing web applications.
    To be an for aid teachers/students to teach/learn
    web application security in a class room
    environment.

    How to Install and Run


    1.

    Install Xampp

    2.

    Download DVWA and extract that


    Copy DVWA folder in web server root
    Go
    to
    DVWA
    Directory>>Config>>
    Open
    config.inc.php and change $_DVWA[ 'db_password' ]
    = 'p@ssw0rd' to $_DVWA[ 'db_password' ] =
    'p@ssw0rd' to $_DVWA[ 'db_password' ] =''

    3.
    4.

    XAMPP

    DVWA login page

    DVWA admin panel

    Setting low security

    Brute Force

    A great majority of web applications provide a way


    for users to authenticate themselves.

    By having knowledge of user's identity it's possible


    to create protected areas or, more generally, to
    have the application behave differently upon the
    logon of different users.

    In general, there are several methods for a user to


    authenticate to a system, like certificates, biometric
    devices, OTP (One Time Password) tokens.

    Continued

    However, in web applications, we usually


    find a combination of user ID and password.

    Therefore, it's possible to carry out an


    attack to retrieve a valid user account and
    password, by trying to enumerate many
    (i.e., dictionary attack) or all the possible
    candidates.

    Continued

    After a successful brute force attack, a malicious user could


    have access to:

    Confidential information / data;

    Private sections of a web application could disclose confidential


    documents, users' profile data, financial status, bank details, users'
    relationships, etc.

    Administration panels;

    These sections are used by webmasters to manage (modify, delete,


    add) web application content, manage user provisioning, assign
    different privileges to the users, etc.

    Availability of further attack vectors;

    Private sections of a web application could hide dangerous


    vulnerabilities and contain advanced functionalities not available to
    public users.

    Example

    SQL Injection

    A SQL injection attack consists of insertion or


    injection of a SQL query via the input data from
    the client to the application.

    In SQL injection, SQL commands are injected into


    data-plane input in order to effect the execution of
    predefined SQL commands.

    Input data must be validated to ensure that the


    web application is operated on clean, correct and
    useful data .

    Use SQL Injection to determine


    application users:
    The query, executed back in the database looks
    like:
    SELECT first_name, Last_Name from users where
    ID=1;

    A solution that would extract all the first name and


    passwords from the table is to use following
    injection string:
    SELECT first_name, Last_Name from users
    where ID=1 or 0=0;

    Use SQL Injection to find DB Type


    and Version:

    The basic idea is to make the database to respond with error


    message containing database type and version.
    Entering a quote make the DB to consider any characters after
    quote as a simple string and non sql code and cause syntax error.
    Now we know that the database is MySQL so we can use
    appropriate queries to find out the version.
    In MySQL the queries that return the version are:
    SELECT version()
    SELECT @@version
    Enter the following srings:
    1.
    union select @@version#
    2.
    ' union select null, @@version #
    . The query that would extract DB version is:
    SELECT first_name, Last_Name from users where ID=
    union select null, @@version #;

    Use SQL Injection to find host name


    and database name:
    In MySQL the queries that retrieve the host_name
    anddatabase name are:
    SELECT database()
    SELECT @@ hostname()
    So, What would be the injection string????

    Use SQL Injection to display all of


    available DBs and all of their tables:
    Information schema is a database that contains
    information about all of databases that the installed
    MySQL contains.
    Enter the following string:
    a' UNION select table_schema,table_name FROM
    information_Schema.tables;#
    Try to find damn vulnerable web app database and its
    tables.
    Now , set DVWA to high security and attack again.

    Unrestricted uploaded
    File:

    The first step in many attacks is to get some


    code to the system to be attacked. Then the
    attacker only needs to find a way to get the
    code executed. Using a file upload helps the
    attacker accomplish the first step.

    Upload a malicious PHP file:


    1.
    2.

    3.
    4.

    Copy a JPG file and a PNG file to the root.


    Choose a HTML file in the root Path and try to upload
    that.
    Try to upload JPG and PNG file as well.
    Give it a try with medium and high security.

    Note:
    . Check the HTML code to figure out What the
    differences are?

    Cross Site Scripting:

    Cross-Site Scripting attacks are a type of


    injection problem, in which client-side script
    is injected into web pages viewed by other
    users.

    XSS basic exploit test:


    1.

    2.
    3.

    4.

    Select XSS Stored from the left navigation


    menu.
    Name: Test 1
    Message: <script>alert(my xss
    attack)</script>
    Sign guestBook

    Note:
    . This XSS exploit will be displayed for all of users.

    XSS Stored IFRAME Exploit Test:


    1.
    2.
    3.
    4.

    5.

    Reset the DataBase


    Select XSS Stored from the left navigation menu.
    Input Name: Test 2
    Input Message: <iframe src=http://www.cnn.com
    ></iframe>
    Sign Guest Book

    Notes:
    . We need to reset the database otherwise the each XSS
    exploit will appear for each example.
    . This is a powerful exploit because a user could use SET
    to create Malicious cloned website and place in here.

    XSS Stored COOKIE Exploit Test:


    1.
    2.
    3.
    4.

    5.

    Reset the DataBase


    Select XSS Stored from the left navigation menu.
    Input Name: Test 3
    Input Message:
    <script>alert(document.cookie)</script>
    Sign Guest Book

    Notes:
    . It is possible to modify this XSS script to send the
    cookie to a remote location instead of displaying it.
    (man in the middle attack)
    . Check the PHP code to figure out What the differences
    are?

    Thank you

    Vous aimerez peut-être aussi