Scribd
Upload
53 views21 pages

11XVWA Technical Run

Uploaded by

naruto.lm10.uzumaki
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views21 pages

11XVWA Technical Run

Uploaded by

naruto.lm10.uzumaki
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

XVWA Technical Run

Information Security Inc.


Contents

• About XVWA ,Test environment & XVWA Installation


• SQL injection (error based) & SQL Injection (blind)
• OS Command injection
• XSS Reflected & DOM Based XSS
• File Inclusion
• References

2 Information Security Confidential - Partner Use Only


About XVWA

◎Xtreme Vulnerable Web Application (XVWA)


XVWA is a badly coded web application written in PHP/MySQL
that helps security enthusiasts to learn application security. It’s not
advisable to host this application online as it is designed to be
“Xtremely Vulnerable”.

• Link: https://github.com/s4n7h0/xvwa

• Docker Image: https://github.com/tuxotron/xvwa_lamp_container


#docker search xvwa

3 Information Security Confidential - Partner Use Only


Test environment & XVWA Installation

◎Test environment
• Kali linux (SMP Debian 4.6.4-1kali1) with XVWA docker image.
IP:192.168.10.12

• Mysql database
mysql Ver 14.14 Distrib 5.6.30, for debian-linux-gnu (x86_64) using
EditLine wrapper

• Apache webserver
Server version: Apache/2.4.25 (Debian)

• Docker install script:


- XVWA docker image: https://github.com/tuxotron/xvwa_lamp_container
#docker search xvwa
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
tuxotron/xvwa

4 Information Security Confidential - Partner Use Only


Test environment & XVWA Installation

• Run XVWA docker image


# docker run --name xvw -d -p 80:80 tuxotron/xvwa

• Setup the database


Access http://192.168.10.12/xvwa/setup

5 Information Security Confidential - Partner Use Only


SQL injection (error based)

• SQL injection is an attack technique by which a malicious user can


run SQL code with the privilege on which the application is
configured.

• More about SQL Injection


https://www.owasp.org/index.php/SQL_Injection

6 Information Security Confidential - Partner Use Only


SQL injection (error based)

◎Checking vulnerability
POST Request: item=&search='

7 Information Security Confidential - Partner Use Only


SQL injection (error based)

◎Exploit the vulnerability

【POST Request -> item=&search=0‘=‘0】 【POST Request -> item=&search='>1=‘】

8 Information Security Confidential - Partner Use Only


SQL injection (blind)

• Blind SQL (Structured Query Language) injection is a type of SQL


Injection attack that asks the database true or false questions and
determines the answer based on the applications response. The
difference here is that user/attacker will not see any backend error
message in this case.

• More about Blind SQL Injection


https://www.owasp.org/index.php/Blind_SQL_Injection

9 Information Security Confidential - Partner Use Only


SQL injection (blind)

◎Checking vulnerability
POST Request that returns ‘false’ -> item=&search=‘ and 1=0#
If the web application is vulnerable to SQL Injection, then it probably will not return
anything.

10 Information Security Confidential - Partner Use Only


SQL injection (blind)

◎Vulnerability
If the web application is vulnerable to SQL Injection, then it probably will not return
anything.To make sure, the attacker will inject a query that will return 'true‘; If the
content of the page that returns 'true' is different than that of the page that returns 'false',
then the attacker is able to distinguish when the executed query returns true or false.
POST Request that returns ‘false’ -> item=&search=‘ and 9=9#

11 Information Security Confidential - Partner Use Only


OS Command Injection

Some applications use operating system commands to execute


certain functionalities by using bad coding practices, say for instance,
usage of functions such as system(),shell_exec(), etc. This allows a
user to inject arbitrary commands that will execute on the remote
host with the privilege of web server user. An attacker can trick the
interpreter to execute his desired commands on the system.

• More about OS Command Injection


https://www.owasp.org/index.php/Command_Injection

12 Information Security Confidential - Partner Use Only


OS Command Injection

◎Example: 8.8.8.8; echo "¥n"; echo "Date $(date)" echo "¥n"; && ifconfig

13 Information Security Confidential - Partner Use Only


XSS Reflected

Cross Site Scripting attacks abuse the browser’s functionality to


send malicious scripts to the client machine. In other words, this is
client side attack. Cross Site Scripting attacks are generally be
categorized into two categories: stored and reflected. In reflected
attacks, the application reflects the malicious script back on the
browser.

• More about XSS Reflected


https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting#Reflected_XSS_.28AKA_Non-
Persistent_or_Type_II.29

14 Information Security Confidential - Partner Use Only


XSS Reflected

• Input
http://192.168.10.12/xvwa/vulnerabilities/reflected_xss/?item=ITEM

• Output

15 Information Security Confidential - Partner Use Only


XSS Reflected

◎The browser reflects injected JavaScript


• Input
JavaScript: %3cscript%3evar a =11; alert(a === 11);%3c/script%3e

• Output

16 Information Security Confidential - Partner Use Only


DOM Based XSS

◎Vulnerability discovery
• Access
http://192.168.10.12/xvwa/vulnerabilities/dom_xss/

• Input
http://192.168.10.12/xvwa/vulnerabilities/dom_xss/?search=adi

• Output

17 Information Security Confidential - Partner Use Only


DOM Based XSS in XVWA

◎Vulnerability discovery
• Output
Output is not showing in source code. But show in Inspect Element
because input is not maded by PHP or backend code. Its occur from
JavaScript Code. So its not show in source code directly and just only work
in browser.
Function search() explained: When ?search found in URL , the input
after ?search= will show in the element that is defined by id=srch. Can use
html tag for XSS purpose.

18 Information Security Confidential - Partner Use Only


DOM Based XSS

◎Vulnerability discovery
• Input

• Output

19 Information Security Confidential - Partner Use Only


File inclusion

File inclusion is an attack that would allow an attacker to access


unintended files on the server.

• More about File inclusion


https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion

20 Information Security Confidential - Partner Use Only


References

• OWASP
https://www.owasp.org/index.php/Category:Attack

• Github
https://github.com/s4n7h0/xvwa
https://github.com/tuxotron/xvwa_lamp_container

21 Information Security Confidential - Partner Use Only

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy