Ak Cyber Next5
Ak Cyber Next5
Experiment 6
Aim: - SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an
attacker can manipulate input fields to extract, modify, or delete database information.
Theory: -
SQL Injection (SQLi)
SQL injection is one of the most common attacks used by hackers to exploit any SQL database-driven web
application. It’s a technique where SQL code/statements are inserted in the execution field with an aim of
either altering the database contents, dumping useful database contents to the hacker, cause repudiation issues,
spoof identity, and much more. Let’s take a simple scenario where we have a web application with a login
form with username and password fields. If the developer used PHP for development, the code would look
like this:
If a user Karen with the password
‘12345’ wanted to log in, after
clicking the Submit or the Log in
button, the query that would be
sent to the database would look
like this:
If an attacker knew the username
and wanted to bypass the login
window, they would put
something like Karen;-- in the
username field. The resulting
SQL query would look like this:
What the attacker has done, is adding the -- (double-dash) which comments the rest of the SQL statement. The
above query will return the information entered in the password field making it easier for the attacker to bypass
the login screen.
The main reason that makes websites vulnerable to SQL injection attacks can be traced back to the web
development stage. Some of the techniques that can be implemented to prevent SQL injection include:
• Input validation: If the website allows user input, this input should be verified whether it’s allowed or not.
• Parametrized queries: This is a technique where the SQL statements are precompiled and all you have to do
is supply the parameters for the SQL statement to be executed.
• Use Stored procedures
• Use character-escaping functions
• Avoid administrative privileges: Don't connect your application to the database using an account with root
access.
• Implement a Web application firewall (WAF)
Pre-requisites
This tutorial expects that you have an up and running DVWA setup. If you have not yet installed DVWA on
your Kali Linux system, please check out the article which gives a step-by-step guide.
Interestingly, when you check the URL, you will see there is an injectable parameter which is the ID.
Currently, my URL looks like this:
SQL Injection
Step3: Always True Scenario
An advanced method to extract all the First_names and Surnames from the database would be to use the input:
%' or '1'='1'.
SQL Injection
From the image above, you can see the password was returned in its hashed format. To extract the password,
copy the MD5 hash and use applications like John the Ripper to crack it. There are also sites available on the
internet where you can paste the hash and if lucky, you will be able to extract the password.
Conclusion
SQL injection proves to be a critical vulnerability that can exist in a system. Not only can attackers exploit it
to reveal user or customer information, but it can also be used to corrupt the entire database thus bringing the
whole system down. Injection is listed as the number one vulnerability in the OWASP Top 10 Vulnerabilities
summary. The DVWA acts as a reliable resource for both penetration testers who want to improve their skills
and web developers who want to develop systems with security in mind
Experiment 7
Aim: - Cross Site Scripting XXS: Exploit XXS vulnerability in DVWA to inject malicious
scripts into web pages, Show the potential impact of XXS attacks, such as stealing cookies or
defacing websites.
Theory: -
Cross Site Scripting XXS
Cross Site Scripting (XSS) is a vulnerability in a web application that allows a third party to execute a script in
the user’s browser on behalf of the web application. Cross-site Scripting is one of the most prevalent
vulnerabilities present on the web today. The exploitation of XSS against a user can lead to various consequences
such as account compromise, account deletion, privilege escalation, malware infection and many more.
Vulnerability
Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to
users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their
interaction with the application.
Types Of XXS
3. DOM-based XSS: -
DOM-based XSS is an advanced XSS attack. It is possible if the web application’s client-side scripts write
data provided by the user to the Document Object Model (DOM). The data is subsequently read from the
DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can
inject a payload, which will be stored as part of the DOM and executed when the data is read back from the
DOM. A DOM-based XSS attack is often a client-side attack and the malicious payload is never sent to the
server. This makes it even more difficult to detect for Web Application Firewalls (WAFs) and security
engineers who analyze server logs because they will never even see the attack. DOM objects that are most
often manipulated include the URL (document.URL), the anchor part of the URL (location.hash), and the
Referrer (document.referrer).
XXS pop up
• For the "Medium" security level: -
- Input the payload <img src="x" onerror="alert('stored XSS');">into the name field.
- Modify the maxlength attribute to bypass client-side restrictions.
- Submit the form to confirm the successful exploitation.
These steps demonstrate how to exploit stored XSS vulnerabilities in different security levels of DVWA.
Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity
of the application and the ways it handles user-controllable data.
In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following
measures:
• Filter input on arrival. At the point where user input is received, filter as strictly as possible based on
what is expected or valid input.
• Encode data on output. At the point where user-controllable data is output in HTTP responses, encode
the output to prevent it from being interpreted as active content. Depending on the output context, this might
require applying combinations of HTML, URL, JavaScript, and CSS encoding.
• Use appropriate response headers. To prevent XSS in HTTP responses that aren't intended to contain
any HTML or JavaScript, you can use the Content-Type and X-Content-TypeOptions headers to ensure that
browsers interpret the responses in the way you intend.
• Content Security Policy. As a last line of defense, you can use Content Security Policy (CSP) to reduce
the severity of any XSS vulnerabilities that still occur.
Experiment 8
Theory: -
Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web
application in which they’re currently authenticated. With a little help of social engineering (such as sending
a link via email or chat), an attacker may trick the users of a web application into executing actions of the
attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform
state changing requests like transferring funds, changing their email address, and so forth. If the victim is an
administrative account, CSRF can compromise the entire web application.
Before going into implementation, it would be nicer to understand why and how the attacks work. To
elaborate, first, we need to know what HTTP protocol is. HTTP protocol (a.k.a Hyper Text Transfer Protocol)
is a network protocol for the web applications.
It works as following:
Clients ask for HTTP request to server, and server responds to the client by giving status code.
However, it is very important to notice that HTTP is stateless. That is, there is no record of previous
interactions and thus, users have to go through the authentication/verification process whenever they make a
new request. Think of checking email. Though you have definitely logged into google to check your email,
you have to log in again when you check your mailbox. What a big inconvenience! And this is where the
session and cookie come in.
Two things to know. The first cookie, and second session. cookie contains data in form of dictionary for
purpose of transferring data between client and server. And session is to have a state, allowing to maintain a
particular state until closing the browser. The basic idea is following:
Once accessing to web application, cookie is stored at local hard disk and session ID is generated, and session
ID is also stored in cookie. if clients try to access again, cookie with session ID is transferred to web server to
give false impression that clients have been maintaining the state.
User can notice that Get method is used to transfer passwords without any encryption. What we are going to
do is that by exploiting data from HTTP request, we aim to change the password of the victim as we have
previously set.
To make it a bit realistic, I sent an e-mail claiming that I won a lottery to myself (victim) with HTML
containing a malicious request. Like this. (you can find sample HTML file(csrf.html) below is the part of the
code to make request to server.
Once the receiver (me) found the e-mail and clicked the provided link, you can find that Get request is
transferred to web server and the password of the innocent receiver has been simultaneously changed. The
thing is unless specifically notified of changing password, the victim is very unlikely to notice the change.
While I have made a button to make change visible. You may try to use on load function.
The grounds for a successful attack lie on the cookie. As seen above, the same cookie has been used, meaning
that web server has no choice but to treat the malicious requests as equally as normal requests. Also, you can
notice that the parameter for changing password and referer, origin indicating where the request came from
have been changed. Next, we will try to hack medium level. In medium level, web server tries to protect itself
from being attacked by checking ‘referer’.
However, checking the referer cannot be an ultimate solution because attack can be implemented on the very
particular web server, thus avoiding the protection scheme. Moreover, if you look into the code, it can be
shown that protection will become useless if the attacker include web server address.
DVWA provides one of ideal solution to protect password from CSRF attack. That is, to require users to
provide current password. It can be seen if you change security level to impossible.
If the attacker implements CSRF only attack, there is no way for him to get current password. As he cannot
extract current password, the attack is never going to happen.
Experiment 9
Aim: - File Inclusion Vulnerabilities: Explore remote and local file inclusion vulnerabilities
in DVWA. Show how attackers can include malicious files on a server and execute arbitrary
code.
Theory: -
File Inclusion Attack
It is an attack that allows an attacker to include a file on the web server through a php script. This vulnerability
arises when a web application lets the client submit input into files or upload files to the server. A file include
vulnerability is distinct from a generic Directory Traversal Attack, in that directory traversal is a way of
gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads
code for execution. Successful exploitation of a file include vulnerability will result in remote code execution
on the web server that runs the affected web application.
Types:
a) Local File Inclusion
b) Remote File Inclusion
LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can
be very dangerous because if the web server is misconfigured and running with high privileges, the attacker
may gain access to sensitive information. If the attacker is able to place code on the web server through
other means, then they may be able to execute arbitrary commands.
RFI vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local machine,
the attacker is able to execute code hosted on their own machine.
Remote File inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often found in poorly-
written web applications. These vulnerabilities occur when a web application allows the user to submit input
into files or upload files to the server.
a. Local File Inclusion in Action
Difficulty: LOW
Now start your machine and login to DVWA, then go to DVWA security tab and change the difficulty level
to low.
Go to file inclusion tab and change the URL from incude.php to ?page=../../../../../../etc/passwd.
Difficulty: MEDIUM
Now, go on and try the exploits we used in low difficulty. You will notice that you can’t read files like before
using the directory traversal method. So, as you can see in the below snapshot of source page, the server is
more secure and is filtering the ‘../’ or ‘..\’pattern. Let’s try to access the file without ‘../’ or ‘..\’.
Difficulty: LOW
Now, Let’s start with the Low difficulty.
Change the difficulty to low and go to file inclusion tab.
Let’s change include.php to http://www.google.com so the final URL will look something like this,
?page=http://www.google.com
?page=httP://imdb.com
Difficulty: HIGH
We can’t exploit the high difficulty using RFI as we can see in source page, we know that the target web-
server is only accepting “include.php” or anything that’s starting with the word “file” that’s why we can’t
include anything from an outside server.
Experiment 10
Aim: - Brute-Force and Dictionary Attacks: Use DVWA to simulate login pages and
demonstrate brute-force and dictionary attacks against weak passwords. Emphasize the
importance of strong password policies.
Theory: -
Brute Force Attack
A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden web page.
Hackers work through all possible combinations hoping to guess correctly. These attacks are done by ‘brute
force’ meaning they use excessive forceful attempts to try and ‘force’ their way into your private account(s).
This is an old attack method, but it's still effective and popular with hackers. Because depending on the length
and complexity of the password, cracking it can take anywhere from a few seconds to many years.
Burp Suite is one of the most helpful website hacking tools for conducting security testing of web applications.
It has various ethical hacking tools that work seamlessly together to support the entire penetration testing
process. It ranges from initial mapping to analysis of an application’s weakness.
Step 1: Inside DVWA, select the Brute Force option, which takes user to a Login page.
Step 2: Enter admin for the username and admin for the password, which is the wrong
username and password.
Step 3: In the Burp Suite tool, follow the path: Target → Site map → http://localhost →
URL Containing the following:
/DVWA/vulnerabilities/brute/?username=admin&password=admin&Login=Login
HTTP/1.1
The Raw Request data is the HTTP request sent to the server during a brute-force attack. It contains all the
details required to send a request, such as the HTTP method, target URL, request headers, and request body.
As one can see, the username and password, admin & admin, user initially tried to log in with appears in line
1.
Clicked on the Payloads tab to configure and add a list of strings used as payloads.
For the first Payload set, Type a list of 17 words for the username.
Click the drop-down arrow in Payload set and select 2 for the second Payload set.
b. Start the Attacking with Kali Linux using dictionary attack for authentication login.
Step 3: We will open Burp on Kali and interrupt the request and send it to the intruder to use the dictionary
attack.
Burp Proxy
Burp Intruder
We will use the most common password list in the payload to do the attack.