Institute of Technology and Management, Gorakhpur

Integrated Technical Campus: Engineering, Pharmacy & Management

Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Course: B. Tech / Branch : CS/ Year: II / Semester :IV

Subject: CYBER SECURITY WORKSHOP
(BCS 453)

Introduction: Damn Vulnerable Web App (DVWA)

This package contains a PHP/MySQL web application that is damn vulnerable. Its main goal is to
be an aid for security professionals to test their skills and tools in a legal environment, help web
developers better understand the processes of securing web applications and to aid both students
& teachers to learn about web application security in a controlled class room environment.
The aim of DVWA is to practice some of the most common web vulnerabilities, with various
levels of difficulty, with a simple straightforward interface. Please note, there are both
documented and undocumented vulnerabilities with this software. This is intentional. You are
encouraged to try and discover as many issues as possible.
WARNING: Do not upload it to your hosting provider’s public html folder or any Internet facing
servers, as they will be compromised.

Pre-Requisites to install DVWA

Already have a Kali Linux Server Up and Running.

Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications and aid
teachers/students to teach/learn web application security in a class room environment.

Attacks Covered in DVWA

● Brute Force
● Command Execution
● CSRF
● File Inclusion
● SQL Injection
● SQL Injection (Blind)
● Shell Uploading
● XSS ( Reflected )
● XSS ( Stored)

Benefits of DVWA –

● Hacking anything without the permission is a Crime. So as a student or beginners from where
you got this permission so you can use this. For advanced users to sharpen their skill DVWA
is the best platform.
● In DVWA you do not have to take permission from others, you can simply install this in a virtual
environment and start using it.
● It is very simple to install.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

● This is the best place to do hacking.

● In fact, this is running in your local environment and it is totally legal.
As well as being vulnerable, DVWA has some other features which aid in the teaching or learning of
web application security. DVWAs Security features can be divided into two parts, one is the security
levels and the other is PHP-IDS.

The security levels are named low, medium, high and impossible. Each level changes the vulnerability state of
DVWA throughout the application. By default when DVWA is loaded the security level is set to Impossible.

PHP-IDS is a popular PHP Intrusion Detection System (IDS) also known as a Web Application Firewall
(WAF). PHP-IDS works by filtering any user supplied input against a blacklist of potentially malicious
code. PHP-IDS is used in DVWA to serve as a live example of how WAFs can help improve security in
web applications and in some cases how WAFs can be circumvented.
The first step is to download the source code of DVWA application from one of the best open source
repository database i.e. Github by typing the following command in your terminal: Command: git clone
https://github.com/ethicalhack3r/DVWA
Note: Make sure that, you must download the above package of DVWA inside /var/www/html directory.

Setup a Vulnerable Web Server DVWA in Kali Linux local host.

How to Setup
Setting up vulnerable server is very easy. Now we set up DVWA in our kali Linux machine. DVWA is
designed for practice some most common web vulnerability. It is made with PHP and MySQL.
Lets’s Start
In Linux environment localhost files are stored in /var/www/html directory, so we open a terminal and
change our directory to that directory using following command:

Here we clone DVWA from it’s Github repository. To clone it we run following command:

After the cloning complete, we rename the DVWA to dvwa (it is not necessary but it will save our effort).
Then we change the permission on dvwa directory by using following command:-

Now we have to setup this web application to run properly for that we have to go into /dvwa/config
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

directory.
In the above screenshot we can see the config.inc.php.dist file. This file contains default configuration.
We need to make a copy of this file with .php extension name, we are coping this file because in future if
anything goes wrong then we have the default values. So we copy this file with .php extension name
using following command:

Edit this config.php file

The Screenshot is following :-

We will make changes in this part the p@ssw0rd to pass and the user from root. see the following
screenshot:-

Then we save and exit.

The next is configuring the database.

Here we have opened a new terminal window closing the previous one. We start the mysql at first using
following command:-
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

If there are no errors that means the service is started. Now

let’s login to mysql using following command:-

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Now to setup a database, we start with creating a new user by applying following command. create user
'user'@'127.0.0.1' identified by 'pass';
Here using this command we are creating a user called ‘user’ running server on 127.0.0.1(localhost) and
the password is ‘pass’. Remember that this username and password should exactly same as the password
and username we have entered in the configuration file of dvwa web application.

In the screenshot we can see the query is OK. That means the user is created.

Then we grant this user all the privileges over the database. For that we type following command:- grant all
privileges on dvwa.* to 'user'@'127.0.0.1' identified by 'pass';

Yes, we have finished the work of database, now we configure the server. For this we need to configure
our apache2 server. Let’s change our directory to /etc/php/7.4/apache2

Here we are using version 7.4, if we use another version then the path might be change. cd
/etc/php/7.4/apache2
Here we configure the php.ini file.
We need to change the allow_url_fopen and allow_url_include values. We set both of them ‘On’. In some
cases when we are first time configuring it, we might find that one of this or both of this configuration is
set to ‘Off’. We have turned both of these configuration to ‘On’, as the following screenshot:-

Then we save and close the file.

Then we start the apache2 server using following command:- service apache2
start
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Let’s open the browser and navigate to 127.0.0.1/dvwa/ first open will open the setup.php as shown in the
screenshot.

Here we scroll down and click on “Create/Reset Database”.

Then it will create and configure the database and we redirected to DVWA login page.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

The default login is

● Username:- admin
● Password:- password
After login we are in Damn Vulnerable Web Applications main page. Here is some general
information and warnings.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

On the left side we can see lots of vulnerable pages are available we can practice here.

DVWA have different security levels to change those we navigate to DVWA security. There are some
security levels low, medium, high, impossible. We can choose difficulty as we need.
Now we can run penetration testing tools and techniques in our localhost.
This is how we can setup DVWA, Damn Vulnerable Web Application in our Kali Linux system.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Experiment – 7

SQL Injection

Objectives:

a. To practice SQL injection attacks using DVWA.

b. Demonstrate how an attacker can manipulate input fields to extract, modify or delete
database information

Introduction:
SQL injection is a technique used to extract user data by injecting web page inputs as statements through
SQL commands. Basically, malicious users can use these instructions to manipulate the application’s web
server.

1. SQL injection is a code injection technique that can compromise your database.
2. SQL injection is one of the most common web hacking techniques.
3. SQL injection is the injection of malicious code into SQL statements via web page input.

Requirements:
● Xampp/Wamp Server
● DVWA Lab
● Kali Linux: Burp suite, SQLmap tool

Now open the DVWA in your pc and log in with following credentials:
Username – admin
Password – password
Click on DVWA Security and set Website Security Level low
From the list of vulnerability select SQL Injection for your attack.
Type user ID: 1 in the text box. Don’t click on submit button without setting browser proxy. Set your
browser proxy to make burp suite work properly.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

The flaw in the code you provided is that it is vulnerable to SQL injection attacks. The vulnerability arises
from directly concatenating user input into the SQL query without proper sanitization or parameterization.

Here’s an explanation of the flaw and the recommended solution:

In the code, the variable $id is retrieved from the user input without any validation or sanitization. It is
then directly concatenated into the SQL query string:

$id = $_REQUEST['id'];
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

This allows an attacker to manipulate the value of and inject malicious SQL code, potentially leading to
unauthorized access, data leakage, or even complete loss of data.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

This means that the query that was executed back in the database was the following:

1' OR '1'='1'#

'UNION SELECT table_name, NULL FROM information_schema.tables --

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

'UNION SELECT column_name, NULL FROM information_schema.columns WHERE

table_name= 'users' --

Now we can see we got both username and encrypted password.

'UNION SELECT user, password FROM users --

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Medium
We will intercept the request and send it to the repeater.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Edit id=1 to this code then send it and we can see the results in response.

1 UNION SELECT user, password FROM users --

High
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

For high level, after clicking the “here to change your ID”, we can see a window where we can insert our
malicious code.

' UNION SELECT user, password FROM users --

After submitting the code, we can get usernames and passwords.

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Experiment – 8

Cross – Site Scripting (XSS) Objectives:

a. Exploit XSS vulnerabilities in DVWA to inject malicious scripts into web pages.
b. Show the potential impact of XSS attacks, such as stealing cookies or defacing websites

Introduction: Cross Site Scripting (XSS):

Cross Site Scripting or XSS is the most critical vulnerabilities in web applications. XSS allows the
attacker to send malicious scripts or code to the victim's computer system. With that code injection can
come numerous malicious activities.
If an application is vulnerable to XSS, the hacker can develop a URL that includes malicious code and
pass the code to the app as a legitimate user. When the user clicks on the link sent by the hacker, the
request is sent to the app. The code or script is generated on the server, sent to the user's browser and is
executed.

The classic Proof of Concept (POC) for XSS is to use JavaScript to trigger an alert box when the script is
run in the user's browser. This in itself is not malicious, but only indicates that the application is
vulnerable to injecting code.

XSS Payloads:

XSS can deliver multiple types of payloads. Javascript is powerful and flexible and therefore is capable of
delivering a wide range of malicious payloads. Some of the payloads include; 1. Pop up alerts
2. Hijacking session identifiers
3. Downloading and installing software
4. Redirecting to a different URL
5. Installing a keylogger
4. Invoking a reverse shell such as the Metasploit meterpreter
5. Launching client side attacks

Types of XSS

XSS is often divided into at least two types;

1. Reflective or Non Persistent
2. Persistent or Stored
Reflective XSS usually involves code that is "reflected" back to the web page and does not persist after
one use. Persistent or Stored XSS, as the name implies, is stored within the application and can be run
multiple times by multiple users.

In the following section, we will be using the DVWA to demonstrate such attacks and vulnerabilities.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Step 1: Connect to the DVWA

To start, boot up a system running DVWA. Then, connect to the DVWA with your browser from your
Kali system.

Step 2: Set Security to Low

Using some simple XSS that is usually sanitized by modern secure web applications. For demonstration
purposes we are disabling that sanitizing process. For that reason, we need to set the security level on our
DVWA to "low".

Step 3: Reflected XSS Attacks

To perform a Reflected XSS, the victim must perform some action such as clicking on a link, doing a
search or some other functionality. The victim must also be logged into the application when they click on
the link.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

To start, navigate to the Reflected XSS page in DVWA as seen below.

Now, go ahead and enter your name. I entered my name in the form "Occupy the web".

As one can see above, the application comes back and greets me "Hello Occupy the web" after hitting
Submit.

This time we will enter some script and see whether we can get the application to execute it. The script to
enter is;

<script>alert("Hello Hackers-Arise ") </script)

A cursory examination of this script reveals that we are triggering an alert box and having the alert box say
"Hello Hackers Arise"

So, instead of entering our name into the form, let's enter this script. Now, hit
Submit.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

As you can see, the script was executed and an alert box was triggered with the message "Hello Hackers-
Arise". Clearly, this application is vulnerable to a Reflected XSS attack!
Reflected XSS is a one-time attack. Whoever clicks on the link will have the script executed in their
browser.

Step 4: URL Address Bar Attack

When we ran the Reflected XSS, you can see that the URL created by the attack changed. We could use
this URL that was created to execute the attack. The attacker could send this link to the victim to execute
the attack. To demonstrate, simply copy and paste the URL and enter it into another tab in your browser.

As you can see, it works equally well to trigger the Reflected XSS attack.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Step 5: Attacking Session Cookies

Although generating a pop-up alert box is interesting and proves the concept, it really does not provide
the attacker anything of value. What if we could have the alert box grab the session cookie of the victim?
In this way, the attacker could then use the cookie to authenticate against the app as the legitimate user.
In this case, we will create a script that generates an alert, grabs the session cookie and displays it. The
following script should do just that.

<script>alert(document.cookie)</script>

As you can see, when we run this script, the application grabs and displays the users session ID that then
could be used to authenticate the attacker to the application!
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Step 6: Persistent or Stored XSS Attacks

The persistent or stored XSS is very different from the Reflected XSS attack. Most importantly, the
attacker does not need to social engineer the victim to click on a URL, but rather stores the malicious
code into the application. In this way, every one who visits the malicious web page will fall victim to this
attack.

Persistent XSS attacks are far more malicious and damaging than reflected attacks. They are capable of
attacking numerous victims and implanting malware or other payloads into the target system.
Let's start by clicking on the DVWA Stored Cross Site Scripting app.

This app represents a "Guest Book" of a web app where each user can enter their name and comments.
Obviously, a Guest Book will store the information entered into a back-end database (MySQL in this
case). If we can send a script to that back-end database, our script will be stored there and run time and
time again as people visit and use the Guest book.

Let's begin by entering our name, OTW. Then let's enter a bit of Javascript.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

<script>alert("Hackers-Arise is BEST")</script>

If this script runs, it will open an alert box stating the obvious "Hackers-Arise is BEST".

When we click "Sign Guestbook", an alert box opens stating what we all know to be true.

As the application stores this information into the back-end database, we may be able to get that script to
run whenever anyone logs into the Guestbook.

Let's test that by entering as a different Guest and enter a different message. In this case, I will enter as
"John Doe" and leave a message "I'm so happy to be here".
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

When John Doe clicks to "Sign Guestbook" they get the same message that "Hackers-Arise is BEST".
Our XSS has persisted in the database and every guest will now be greeted with our message!

Cross Site Scripting (XSS) is one of the most important and malicious vulnerabilities in web applications.
These attacks are capable of injecting any number of malicious payloads into the victim's browser and
ultimately into their computer system.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Experiment – 9

Cross – Site Request Forgery (CSRF)

Objectives:

Set up a CSRF attack in DVWA to demonstrate how attackers can manipulate authenticated users into
performing unintended actions

Introduction:

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a
web application in which they’re currently authenticated. With a little help of social engineering (such as
sending a link via email or chat), an attacker may trick the users of a web application into executing
actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the
user to perform state changing requests like transferring funds, changing their email address, and so forth.
If the victim is an administrative account, CSRF can compromise the entire web application.

Before going into implementation, it would be nicer to understand why and how the attacks work. To
elaborate, first, we need to know what HTTP protocol is. HTTP protocol (a.k.a Hyper Text Transfer
Protocol) is a network protocol for the web applications.

It works as following:

Clients ask for HTTP request to server, and server responds to the client by giving status code. However,
it is very important to notice that HTTP is stateless. That is, there is no record of previous interactions
and thus, users have to go through the authentication/verification process whenever they make a new
request. Think of checking email. Though you have definitely logged into google to check your email,
you have to log in again when you check your mailbox. What a big inconvenience! And this is where the
session and cookie come in.

Two things to know. The first cookie, and second session. cookie contains data in form of dictionary for
purpose of transferring data between client and server. And session is to have a state, allowing to maintain
a particular state until closing the browser. The basic idea is following:

Once accessing to web application, cookie is stored at local hard disk and session ID is generated, and
session ID is also stored in cookie. if clients try to access again, cookie with session ID is transferred to
web server to give false impression that clients have been maintaining the state.

Changing Password with CSRF using DVWA

As the default setting is set to be impossible, please change its security to be low.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

First, we need to know how the process normally works. Please select CSRF from the menu bar, and try
to change the password. Accordingly, you can find the HTTP request on Burp-suite as following.

Get method to transfer new password being used

User can notice that Get method is used to transfer passwords without any encryption. What we are
going to do is that by exploiting data from HTTP request, we aim to change the password of the victim
as we have previously set.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

To make it a bit realistic, I sent an e-mail claiming that I won a lottery to myself (victim) with HTML
containing a malicious request. Like this. (you can find sample HTML file(csrf.html)

below is the part of the code to make request to server.

As seen in the figure attached above, the code is written in JavaScript and the very same parameters that
we obtained from Burp-Suite is used.

Once the receiver (me) found the e-mail and clicked the provided link, you can find that Get request is
transferred to web server and the password of the innocent receiver has been simultaneously changed. The
thing is unless specifically notified of changing password, the victim is very unlikely to notice the change.
While I have made a button to make change visible, You may try to use on load function.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

On left, you can find request has successfully transferred / On right is the screen of csrf.html In order to

launch an attack successfully, it is necessary that the victim should be logged in.

Try to distinguish between normal request (left) and malicious request(right)

The grounds for a successful attack lie on the cookie. As seen above, the same cookie has been used,
meaning that web server has no choice but to treat the malicious requests as equally as normal requests.
Also, you can notice that the parameter for changing password and referer, origin indicating where the
request came from have been changed.
Next, we will try to hack medium level. In medium level, web server tries to protect itself from being
attacked by checking ‘referer’.

Changing security level to medium — it checks ‘referer’

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

You can see that an identical attack used for low security does not work as intended. You can check this
on Burp-suite (click the response tab for the request and go to render.

Checking the response — it fails to change password

However, checking the referer cannot be an ultimate solution because attack can be implemented on the
very particular web server, thus avoiding the protection scheme. Moreover, if you look into the code, it
can be shown that protection will become useless if the attacker include web server address.

Changing file name makes attack successful!

DVWA provides one of ideal solution to protect password from CSRF attack. That is, to require users to
provide current password. It can be seen if you change security level to impossible.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

If the attacker implements CSRF only attack, there is no way for him to get current password. As he cannot
extract current password, the attack is never going to happen.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Experiment 10

File Inclusion Vulnerabilities

Objectives:

a. To Explore remote and local file inclusion vulnerabilities in DVWA.

b. To show how attackers can include malicious files on a server and execute arbitrary code

Definition: File Inclusion Attack

It is an attack that allows an attacker to include a file on the web server through a php script. This
vulnerability arises when a web application lets the client submit input into files or upload files to the
server. A file include vulnerability is distinct from a generic Directory Traversal Attack, in that directory
traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts
how an application loads code for execution. Successful exploitation of a file include vulnerability will
result in remote code execution on the web server that runs the affected web application.

This can lead to the following attacks:

1. Code execution on the web server

2. Cross Site Scripting Attacks (XSS)
3. Denial of Service (DOS)
4. Data Manipulation Attacks

Types:

a) Local File Inclusion

b) Remote File Inclusion

LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This
can be very dangerous because if the web server is misconfigured and running with high privileges, the
attacker may gain access to sensitive information. If the attacker is able to place code on the web server
through other means, then they may be able to execute arbitrary commands.

RFI vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local machine,
the attacker is able to execute code hosted on their own machine.
Remote File inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often found in
poorly-written web applications. These vulnerabilities occur when a web application allows the user to
submit input into files or upload files to the server.
a. Local File Inclusion in Action

Difficulty: LOW
Now start your machine and login to DVWA, then go to DVWA security tab and change the difficulty
level to low.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Go to file inclusion tab and change the URL from incude.php to ?page=../../../../../../etc/passwd.

change the URL from?page=../../../../../../etc/passwd to ?page=../../../../../../proc/version.

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Difficulty: MEDIUM
Now, go on and try the exploits we used in low difficulty. You will notice that you can’t read files like
before using the directory traversal method. So, as you can see in the below snapshot of source page, the
server is more secure and is filtering the ‘../’ or ‘..\’pattern. Let’s try to access the file without ‘../’ or ‘..\’.
Change include.php to /etc/passwd

Now,change the URL from?page=/etc/passwd to ?page=/proc/version.

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

As you can see, it worked by directly entering the name of the file. Let’s level up the difficulty to HIGH.

Difficulty: HIGH
Change the difficulty to HIGH and try all exploits from medium difficulty, and you’ll notice none of them
will works because the target is more secure, as it is only accepting “include.php”
or inputs starting with the word “file”. If you try anything else, it will show “File not Found”.

In this level of security, we can still gather sensitive info using the “File” URI scheme. (because it starts
with the word “file”)
Change the URL from include.php to ?page=file:///etc/passwd

You will get the data of /etc/passwd file.

This is how you can exploit file inclusion vulnerability using local files on the web server. Remote File
Inclusion in Action

Now, let’s try to exploit this vulnerability using remote files hosted on the attacker machine.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Difficulty: LOW
Now, Let’s start with the Low difficulty.
Change the difficulty to low and go to file inclusion tab.
Let’s change include.php to http://www.google.com so the final URL will look something like this,
?page=http://www.google.com

Difficulty: MEDIUM
Change the difficulty to medium and check as we did it in the low difficulty. You’ll notice, it’s not
working anymore. The target is now filtering “http” and “https” as shown in source page.

So try the attack with “HTTP” (in CAPS) or any one word in caps like I used as shown in snapshot
(httP)and it’ll work.

?page=httP://imdb.com
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Difficulty: HIGH

We can’t exploit the high difficulty using RFI as we can see in source page, we know that the target web-
server is only accepting “include.php” or anything that’s starting with the word “file” that’s why we can’t
include anything from an outside server.

Points to Secure against File Inclusion Vulnerability:

a) Strong Input Validation.

b) A white list of acceptable inputs.
c) Reject any inputs that do not strictly conform to specifications.
d) For filenames, use stringent whitelist that limits the character set to be used.
e) Exclude directory separators such as “/”.
f) Use a white list of allowable file extensions.
g) Environment Hardening.
h) Develop and run your code in the most recent versions of PHP available.
i) Configure your PHP applications so that it does not use register globals.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

j) Run your code using the lowest privileges.

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Experiment – 11

Brute Force and Dictionary Attacks

Objectives: Use DVWA to simulate login pages and demonstrate Brute Force and
Dictionary Attacks against weak passwords. Emphasize the importance of strong password
policies.

Introduction: Brute Force Attack

A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden
web page. Hackers work through all possible combinations hoping to guess correctly. These
attacks are done by ‘brute force’ meaning they use excessive forceful attempts to try and ‘force’
their way into your private account(s). This is an old attack method, but it's still effective and
popular with hackers. Because depending on the length and complexity of the password,
cracking it can take anywhere from a few seconds to many years.

Burp Suite is one of the most helpful website hacking tools for conducting security testing of
web applications. It has various ethical hacking tools that work seamlessly together to support
the entire penetration testing process. It ranges from initial mapping to analysis of an
application’s weakness.

a. Brute Force attack on DVWA with Burp Suite

Step 1: Inside DVWA, select the Brute Force option, which takes user to a Login page.

Step 2: Enter admin for the username and admin for the password, which is the wrong
username and password.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Step 3: In the Burp Suite tool, follow the path: Target → Site map → http://localhost → URL
Containing the following:
/DVWA/vulnerabilities/brute/?username=admin&password=admin&Login=Login HTTP/1.1

The Raw Request data is the HTTP request sent to the server during a brute-force attack. It
contains all the details required to send a request, such as the HTTP method, target URL,
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

request headers, and request body.

As one can see, the username and password, admin & admin, user initially tried to log in with
appears in line 1.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Navigated to Request → Raw tab → Right-click inside → Send to Repeater.

Step 4: Select the Repeater tab.

The Repeater in Burp Suite is a tool that allows security testers to manually modify and re-send
HTTP requests and view the responses from a web application. It is a handy tool for testing the
functionality and security of web applications, as it allows testers to quickly and easily modify
the parameters and other data in a request to see how the application responds.
In addition to modifying requests, the Repeater displays the responses received from the
application, allowing testers to analyze and assess the security of the application’s response
handling. Testers can also use the Repeater to compare responses to identify differences and
inconsistencies that could indicate a vulnerability or other security issue.

Step 5: Right-click inside the Raw data area → Send to Intruder.

The Intruder in Burp Suite performs automated attacks on web applications and is designed to
automate sending a large number of requests with various payloads to a target application to test
for vulnerabilities. For example, the Intruder can try multiple input validation vulnerabilities,
such as SQL injection, cross-site scripting (XSS), buffer overflows, and directory traversal
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

attacks.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Step 6: Select the Intruder tab → Positions.

Here we can Choose an attack type, Add or Clear payload markers, and Start attack.

Clear all the payload markers, which are highlighted in green.

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

All payload markers cleared.

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Step 7: Insert new payload markers.

Highlighted admin after username → Selected Add.

Highlighted admin after password → Selected Add.

Both username=admin and password=admin are marked as payloads.

Step 8: Selected Choose an attack type → Cluster bomb.

 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Clicked on the Payloads tab to configure and add a list of strings used as payloads.
For the first Payload set, Type a list of 17 words for the username.

Click the drop-down arrow in Payload set and select 2 for the second Payload set.

b. Start the Attacking with Kali Linux using dictionary attack for authentication login.
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Step 1: The DVWA website from victim machine

Step 2: The website victim we will try to attack using password attack , it’s called dictionary
attack.

Step 3: We will open Burp on Kali and interrupt the request and send it to the intruder to use the
dictionary attack.

Burp Proxy
 Institute of Technology and Management, Gorakhpur
Integrated Technical Campus: Engineering, Pharmacy & Management
Approved by AICTE, Pharmacy Council of India, New Delhi & Affiliated to BTEUP, Lucknow
AL-1, Sector - 7, GIDA, Gorakhpur - 273209 (UP)

Burp Intruder

We will use the most common password list in the payload to do the attack.