Table of Contents
Hello learners, in this guide we will be learning how to execute web attacks on Damn Vulnerable Web App. DVWA is an open source project comprising of a vulnerable web application for practicing web penetration testing. In Damn Small Vulnerable Web App, we have different common vulnerabilities found on web applications. The guide will give you a step by step procedure on how to exploit these vulnerabilities. The top 10 vulnerabilities found on Damn Vulnerable Web App include:
- Broken authentication.
- Sensitive Data Exposure.
- XML External Entities (XXE).
- SQL Injection.
- XSS (Cross-Site Scripting).
- Lack of monitoring and sufficient logging.
- Us of components having known vulnerabilities..
- Insecure De-serialization.
- Security misconfiguration.
- Broken Access Control.
We will cover some of the common attacks mentioned above.
- Have a running instance of Linux (Kali Linux is the preferred distro for this guide)
- Have running instance of the Damn Vulnerable Web App. (You can choose to run DVWA as a web application or access it by installing the metasploitable vulnerable linux instance).
With that in mind, we can now exploit some of the vulnerabilities found on the Damn Vulnerable Web Application.
Exploit 1: Damn Vulnerable Web App SQL Injection attack
In Damn Vulnerable Web Application SQL attack, we perform an SQL injection on an input field presented for us to search the users in the database by knowing only their user id as shown on the image below.
In Damn Vulnerable Web App low security level SQL injection attacks, we are presented with a form field which does not check the type of input provided by the user since it runs dynamic SQL queries made of the data which has been provided by the user. Knowing this, we can insert a SQL command as an input in order to view the other records searchable using the input field. To view the data we use the below SQL injection command.
Once you submit your request for the user id with the above named “ID”, the web application will throw back all the users as the results to our query as shown on the screen below.
Exploit 2: Command Execution Attack
In Damn Vulnerable Web Application, command execution attack is one of the common vulnerability. It is through this vulnerability that the attacker is able to run multiple commands disguised as a single command on the web application. In our attack, we will be pinging our localhost and also display the folders available on a location we will specify on the command we want to execute after ping as shown on the image below.
localhost| cat /etc/passwd
Exploit 3: XSS Attacks
XSS stands for cross site scripting. Hackers use these attacks to run malicious scripts on trusted websites. In these attacks we will discover and exploit these vulnerabilities.
1. XSS (DOM)
We first make sure the Damn Vulnerable Web Application security is set to low and navigate to the XSS(DOM) page on DVWA as shown on the image below.
On the image above, we can see on the link that the default has a variable English which is the default language. We will try to enter some random information to see if the website is vulnerable. I tried by replacing English with a string; “This is a test". Once the word is replaced, we can see our new variable as the default variable now as shown on the below image.
We have confirmed the website is vulnerable, we now move on to adding a script that will run our desired code and since want to get the cookie, we use will use the below script.
Once the script runs on the server, we will be able to obtain the session ID as shown on the image below.
2. XSS (Reflected)
In reflected XSS attacks, the input is executed inside HTML tags unless it is empty hence it does not prevent executing of scripts loaded through the user input. This is one of the easiest but common web application attack. First we will navigate to the XSS reflected category on our damn vulnerable web application from where we are presented with an input field as shown on the image below.
As you can see on the link at the top, the name variable has Justin as the input. We will try inserting the below script to show the session id on the input field.
Once we click Submit, we get an alert displaying the session id of the current user as shown on the image below.
3. XSS (Stored)
In stored XSS, it is more dangerous than others since it is stored in the database. The vulnerability arises when user input data is not filtered before being stored in the database. Attackers injects malicious code to force pop ups to any person who visits the website. These pop ups can be modified to redirect website clients to malicious websites. To exploit this vulnerability on the Damn Vulnerable Web App, we navigate to the XSS(stored) option on the DVWA main page as shown below.
We can see a guest book with a name and message input field. We will insert a comment to see if the website is vulnerable. We first insert a comment with a unique string , inspect element and see if we can locate the unique string we posted as a comment as shown on the image below.
If you can locate the comment that means the website is vulnerable. We will now upload a script on the message input field, the script executes whenever a user loads the page. We will upload the belw script which shows the session id.
Once the script is inserted on Damn Vulnerable Web App, it will appear as shown on the image below. The website will always pop up the session id whenever it loads until the script is removed from the database.
Damn Vulnerable Web App is an intentionally vulnerable web application for practice purposes by aspiring penetration testers. It has the common vulnerabilities found on web applications on the internet. Damn Vulnerable Web App is free and open source and anyone can get a copy of the web application from the official website. In the above guide were able to discuss and exploit some of the most common vulnerabilities. More vulnerabilities will be covered on the upcoming guides.