Web application Vulnerabilities.
Even though most of the exploits used in the low setting of the Damn Vulnerable Web Application (DNWA) should be known to web developers, they are commonly spread across the web. DNWA is developed for students and web developers to get a better understanding of application security by hacking away at their arsenal of vulnerabilities. So, here is my try at sql injection and reflected scripting attacks!
On the server I disable the W3SVC service so it doesn't occupy ports and tangle up my own apache server later on.
I also turn the User Account Control Settings to never notify
I take a note of the warning that comes when starting the XAMPP installer, might give us valuable information later on.
Then run trough the installer
After problems launching the apache server, I resolved it by changing ports.
I now continue by extracting and configuring DNWA
Setting the password to "" - an empty string - nothing
In windows firewall, I allow for inbound requests on specific ports.
And register the server website as a secure site, following the IE wizard once i visit the site.
Having added it as a trusted site, I can now configure DNWA
I start off by setting the security to low.
Pinging the server, packet size of 32bytes
Pinging with the time ti respond command -i 800 127.0.0.1 and seeing a packet size of 800bytes
The server | dir command returns a list of the directory where the DNWA folder is located.
In fact, we have full access to the database during this attack, there is little to no work done to sanitize input data. In more advanced sql injection one can use server DB specific commands to determine what version of sql is being ran.
"braking" the site by returning an error from the db. in this case simply a single quote (') brok the internal sql command.
1' or '1' = '1 returns all rows
Here, we found an exploit that lets us inject an alert script - a trivial use. Easy access like this can easily make life harder for both developer and user.
After Lab review
The application I am experimenting with in this lab is made to be tampered with, and several exploits are built in by design. Especially playing around at the low setting would be considered trivial in the security industry, and any business that exposes risks like these does not take their security seriously. I learned how easy it is to take advantage of such exploits, simply by using a website's own search field.